> On Sep 22, 2020, at 18:54, Jeffrey Walton <[email protected]> wrote:
>
> If you modify the binary or assets in the bundle, you should have to
> resign the bundle. I don't think there's anything inherently insecure
> about (re)signing a bundle after modification. Or nothing comes to
> mind (for me).
I see two basic cases: what the person compiling chooses to trust for their own
use, and what is suitable for binary distribution. Ad-hoc is fine for the
former.
But in either case, I think it's more trustworthy if the same entity signs a
modification as signed the original compile; otherwise, they don't actually
know what was compiled (not that they reviewed all the code anyway, but if they
did both, they at least had the opportunity to know what's in there). So if
not, one could compile in good faith, another could modify in good faith, but
something slipped through...who?
How will additional signing requirements impact MacPorts binary distribution
(which is a huge timesaver for installs and updates, if one doesn't have to
build most packages oneself)?
