On Oct 27, 2014, at 6:33 PM, Brandon Allbery <[email protected]> wrote:
> On Mon, Oct 27, 2014 at 8:26 PM, Landon J Fuller <[email protected]> wrote: > On Oct 27, 2014, at 5:36 PM, Dan Ports <[email protected]> wrote: > > Also, I think Apple mandates using a separate certificate for each > > kext -- so we're stuck getting more certificates no matter what. > > AFAIK it's still just a general "kexts allowed" extension set on the > Apple-signed developer ID certificate. > > Mechanism and policy are two different things. I would not be surprised if > the agreement specified use of a separate cert for each kext or group of > closely related kexts, so they can revoke one without affecting others. A > mechanism can't enforce this, and while you can ignore it because the > mechanism doesn't enforce it, you risk Apple deciding that because they don't > like one kext you signed they can disable all kexts you signed. Apple can blacklist signed code with more granularity than by certificate. Regardless, we don't need to pre-emptively manufacturer requirements on Apple's behalf; the contractual agreements specify Apple's requirements plainly enough. -landonf
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ macports-dev mailing list [email protected] https://lists.macosforge.org/mailman/listinfo/macports-dev
