On 2016-09-16 10:18, Jeremy Huddleston Sequoia wrote:
> Yeah, this contradicts what I'm seeing as expected.  Given that
> you've signed /opt/local/bin/ggdb with an entitlement, it should be
> CS_RESTRICT which should imply CS_HARD.  The lack of a code signature
> would trigger !CS_VALID which would prevent the process from loading
> the unsigned libraries.

There is actually no entitlement data in the code-signature itself.
The access is granted by embedding a Info.plist into the binary:

$ otool -P /opt/local/bin/ggdb
(__TEXT,__info_plist) section
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
<plist version="1.0">

Probably that is why these rules are not enforced?

macports-dev mailing list

Reply via email to