Rainer Müller wrote: > No, it cannot be done in the destroot, as that are the files that will > be put into an archive for redistribution. Whatever signing identity you > are using might not be valid everywhere.
To come back to this: I think the argument here is that the signing identity is likely not to exists anywhere but on the builder's machine, at least not when it's backed by an official, paid Apple certificate. I have presented an approach where the signing user and identity are obtained from a config file. That would allow signing in the destroot (the default identity could be used on the build bots) but there's the reproducible build principle which some would say would be violated. To come back to the original topic: I have another example where I'm bitten by the (de)activate "hooks" not triggering as you'd expect. In my ZFS port I load launchd plists in the post-activate, and unload them in the pre-deactivate: https://github.com/RJVB/macstrop/blob/9145d46e43042a95a645b8aad1f63bec678af253/sysutils/zfs/Portfile#L278 This only works after an install or upgrade. The pre-deactivate may work because after I activated a different version I was left without the daemons that should be running (but that can also be because launchd detected that the binaries had been changed). I'll try to do some more research, but I noticed that port:xinit does the same thing.
