Also, I think Apple mandates using a separate certificate for each kext -- so we're stuck getting more certificates no matter what.
Ideally, what I'd like to see is the ability for MacPorts to use a local signing certificate to sign kexts if one is available. We could then imagine getting signing certificates for specific packages on the buildbots. That would cover most users, I think. (also worth keeping in mind: there are not that many ports installing kernel modules, so whatever process we wind up with doesn't have to be infinitely scalable.) Dan On Tue, Oct 28, 2014 at 10:11:32AM +1100, Joshua Root wrote: > On 2014-10-28 02:40 , Landon J Fuller wrote: > > > > On Oct 27, 2014, at 8:55 AM, Landon J Fuller <[email protected]> wrote: > > > >> > >> On Oct 27, 2014, at 7:50 AM, Daniel J. Luke <[email protected]> wrote: > >> > >>> +1 I think Landon's plan seems reasonable (try to get a signing cert - > >>> even though we probably won't get one, use the nvram check to print > >>> information that helps our users, possibly use developer-signed kexts). > >> > >> Does MacPorts already have a paid developer account? If not, I can donate > >> the $99 so portmgr can sign up for one. > > > > Answering my own question :-) > > > > landonf@zul:~> pkgutil --check-signature > > ~/Downloads/MacPorts-2.3.2-10.10-Yosemite.pkg > > Package "MacPorts-2.3.2-10.10-Yosemite.pkg": > > Status: signed by a certificate trusted by Mac OS X > > Certificate Chain: > > 1. Developer ID Installer: Joshua Root > > SHA1 fingerprint: B3 8D 89 15 75 0A 97 0B F9 98 4D D8 7E 52 74 B8 6C > > 67 A3 1D > > > > ----------------------------------------------------------------------------- > > 2. Developer ID Certification Authority > > SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 > > 88 E1 86 > > > > ----------------------------------------------------------------------------- > > 3. Apple Root CA > > SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 > > DF 6C 60 > > I don't particularly want to use my personal cert to sign things I > didn't personally build, though. > > - Josh > _______________________________________________ > macports-dev mailing list > [email protected] > https://lists.macosforge.org/mailman/listinfo/macports-dev > -- Dan R. K. Ports UW CSE http://drkp.net/ _______________________________________________ macports-dev mailing list [email protected] https://lists.macosforge.org/mailman/listinfo/macports-dev
