On 2016-09-16 10:18, Jeremy Huddleston Sequoia wrote:
> Yeah, this contradicts what I'm seeing as expected. Given that
> you've signed /opt/local/bin/ggdb with an entitlement, it should be
> CS_RESTRICT which should imply CS_HARD. The lack of a code signature
> would trigger !CS_VALID which would prevent the process from loading
> the unsigned libraries.
There is actually no entitlement data in the code-signature itself.
The access is granted by embedding a Info.plist into the binary:
$ otool -P /opt/local/bin/ggdb
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
Probably that is why these rules are not enforced?
macports-dev mailing list