Hi, On Sat, 13 Apr 2019 at 08:47, Joshua Root wrote: > On 2019-4-13 07:57 , Jack Howarth wrote: > > What will be the situation with 10.14.5 and its enforcement of > > notarization for Applications and kernel extensions for MacPorts? In > > particular, will the new notarization requirement limit users to the > > MacPorts build machine copies of such packages which have applications > > rather than being able to build those packages locally? > > Jack > > The MacPorts installer pkg will need to be submitted, but I don't think > much else will change. Using MacPorts-built kernel extensions is already > impossible because of signing requirements (we don't have a kext signing > certificate and I don't think we qualify for one.) > > For general apps, Gatekeeper doesn't prevent running locally built ones > due to them being unsigned, and I gather than notarization is only > required in the same circumstances as signing.
The developer of MacTeX (which is basically a collection of a large number of command-line tools + really small set of GUI apps) started researching this in more detail. In the past it would have been sufficient to only sign the whole package (dmg) once. Now he needs to take care of every single binary inside the package. From what I understood it can be automated, some of the binaries require additional privileges (I assume that luajittex requires some kind of "JIT" privileges etc). There were some issues with ghostscript which needs to be additionally hardened etc. I assume that if I use rsync to get the binaries as opposed to fetching them via web browser, they might work OK. I don't have a payed developer account, so I probably cannot test anything. But I assume there might be a way to individually notarize individual binaries inside MacPorts packages. While this might not be needed at this very moment, it might be that by putting a certificate on the buildslave, we could: - sign the debugger (which currently needs additional steps to work at all) - get an additional automated safety check for any malware that might have creeped into the source code unnoticed (with tens of thousands of packages that's not impossible), which cannot hurt I don't know if a certificate can be issues to a project instead of private person and to what extent one can secure it on the servers. These are just some random ideas, it would be nice to get a more realistic response from someone who's more knowledgable in this area. Mojca
