Getting rid of "accept incoming network connections" prompts on OS X
| От | Tom Lane |
|---|---|
| Тема | Getting rid of "accept incoming network connections" prompts on OS X |
| Дата | |
| Msg-id | 6804.1413911806@sss.pgh.pa.us обсуждение исходный текст |
| Ответы |
Re: Getting rid of "accept incoming network connections"
prompts on OS X
Re: Getting rid of "accept incoming network connections" prompts on OS X Re: Getting rid of "accept incoming network connections" prompts on OS X |
| Список | pgsql-hackers |
If you do any Postgres development on OS X, you've probably gotten
seriously annoyed by the way that, every single time you reinstall the
postmaster executable, you get a dialog box asking whether you'd like
to allow it to accept incoming network connections. (At least, you
do unless you disable the OS firewall, which is not a great idea.)
It's particularly awful to run "make check-world" in this environment,
because you get a pop-up for each test install.
My Salesforce colleagues researched how to fix this, and found out
that it can be suppressed if you sign the postgres executable, which
you can easily do with a self-signed certificate. Once you've allowed
or denied network connections for a signed executable, you don't get
prompted again when the executable is replaced, so long as it's at
the same file path and signed with the same certificate. So you only
have to dismiss the dialogs once more during a check-world run, and
you're done seeing them. (Tested on Mavericks and Yosemite, have not
tried anything older.)
Accordingly, we'd like to propose something like the attached patch
to add an optional signing step to the build process. It lacks any
documentation ATM, but if there are not objections to the basic idea
I'll write some.
regards, tom lane
diff --git a/configure.in b/configure.in
index 527b0762053e38af39c72ad137f52195f81a722b..bf31ecbecd1fbee614152c7fc4ffd709618765da 100644
*** a/configure.in
--- b/configure.in
*************** AC_CHECK_PROGS(OSX, [osx sgml2xml sx])
*** 1877,1882 ****
--- 1877,1912 ----
#
AC_CHECK_PROGS(PROVE, prove)
+ #
+ # Do code-signing? (currently only for OS X)
+ #
+ PGAC_ARG_REQ(with, codesigning, [STRING],
+ [use certificate STRING to code-sign binaries])
+ AC_SUBST(with_codesigning)
+
+ if test ! -z "$with_codesigning"; then
+ if test "$PORTNAME" = "darwin"; then
+
+ AC_CHECK_PROGS(SECURITY, security)
+ AC_CHECK_PROGS(CODESIGN, codesign)
+
+ AC_MSG_CHECKING([valid identity for codesigning])
+ cs_valid_identities=`$SECURITY find-identity -p codesigning | sed -n -E -e '/Valid identities only/,$ p' | sed '1
d'| grep "\"$with_codesigning\"" | wc -l`
+ if test $cs_valid_identities -lt 1; then
+ AC_MSG_ERROR([No valid identity '$with_codesigning' found.])
+ elif test $cs_valid_identities -gt 1; then
+ AC_MSG_ERROR([Ambiguous identity '$with_codesigning'.])
+ else
+ AC_MSG_RESULT([$with_codesigning])
+ fi;
+
+ else
+
+ AC_MSG_ERROR([--with-codesigning is not supported for $PORTNAME port])
+
+ fi;
+ fi;
+
# Thread testing
# We have to run the thread test near the end so we have all our symbols
diff --git a/configure b/configure
index f0580ceb5e5dcb3fdae2789f29eaf3bc757d08ae..f222fd30a7c68457f7d614597f81e9d9425e3a3e 100755
*** a/configure
--- b/configure
*************** ac_includes_default="\
*** 627,632 ****
--- 627,635 ----
ac_subst_vars='LTLIBOBJS
vpath_build
+ CODESIGN
+ SECURITY
+ with_codesigning
PROVE
OSX
XSLTPROC
*************** with_gnu_ld
*** 838,843 ****
--- 841,847 ----
enable_largefile
enable_float4_byval
enable_float8_byval
+ with_codesigning
'
ac_precious_vars='build_alias
host_alias
*************** Optional Packages:
*** 1524,1529 ****
--- 1528,1535 ----
use system time zone data in DIR
--without-zlib do not use Zlib
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
+ --with-codesigning=STRING
+ use certificate STRING to code-sign binaries
Some influential environment variables:
CC C compiler command
*************** fi
*** 14785,14790 ****
--- 14791,14929 ----
done
+ #
+ # Do code-signing? (currently only for OS X)
+ #
+
+
+
+ # Check whether --with-codesigning was given.
+ if test "${with_codesigning+set}" = set; then :
+ withval=$with_codesigning;
+ case $withval in
+ yes)
+ as_fn_error $? "argument required for --with-codesigning option" "$LINENO" 5
+ ;;
+ no)
+ as_fn_error $? "argument required for --with-codesigning option" "$LINENO" 5
+ ;;
+ *)
+
+ ;;
+ esac
+
+ fi
+
+
+
+
+ if test ! -z "$with_codesigning"; then
+ if test "$PORTNAME" = "darwin"; then
+
+ for ac_prog in security
+ do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+ $as_echo_n "checking for $ac_word... " >&6; }
+ if ${ac_cv_prog_SECURITY+:} false; then :
+ $as_echo_n "(cached) " >&6
+ else
+ if test -n "$SECURITY"; then
+ ac_cv_prog_SECURITY="$SECURITY" # Let the user override the test.
+ else
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ for as_dir in $PATH
+ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_SECURITY="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+ done
+ done
+ IFS=$as_save_IFS
+
+ fi
+ fi
+ SECURITY=$ac_cv_prog_SECURITY
+ if test -n "$SECURITY"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SECURITY" >&5
+ $as_echo "$SECURITY" >&6; }
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+ fi
+
+
+ test -n "$SECURITY" && break
+ done
+
+ for ac_prog in codesign
+ do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+ $as_echo_n "checking for $ac_word... " >&6; }
+ if ${ac_cv_prog_CODESIGN+:} false; then :
+ $as_echo_n "(cached) " >&6
+ else
+ if test -n "$CODESIGN"; then
+ ac_cv_prog_CODESIGN="$CODESIGN" # Let the user override the test.
+ else
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ for as_dir in $PATH
+ do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_CODESIGN="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+ done
+ done
+ IFS=$as_save_IFS
+
+ fi
+ fi
+ CODESIGN=$ac_cv_prog_CODESIGN
+ if test -n "$CODESIGN"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CODESIGN" >&5
+ $as_echo "$CODESIGN" >&6; }
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+ fi
+
+
+ test -n "$CODESIGN" && break
+ done
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking valid identity for codesigning" >&5
+ $as_echo_n "checking valid identity for codesigning... " >&6; }
+ cs_valid_identities=`$SECURITY find-identity -p codesigning | sed -n -E -e '/Valid identities only/,$ p' | sed '1
d'| grep "\"$with_codesigning\"" | wc -l`
+ if test $cs_valid_identities -lt 1; then
+ as_fn_error $? "No valid identity '$with_codesigning' found." "$LINENO" 5
+ elif test $cs_valid_identities -gt 1; then
+ as_fn_error $? "Ambiguous identity '$with_codesigning'." "$LINENO" 5
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_codesigning" >&5
+ $as_echo "$with_codesigning" >&6; }
+ fi;
+
+ else
+
+ as_fn_error $? "--with-codesigning is not supported for $PORTNAME port" "$LINENO" 5
+
+ fi;
+ fi;
+
# Thread testing
# We have to run the thread test near the end so we have all our symbols
diff --git a/src/Makefile.global.in b/src/Makefile.global.in
index e76b22fb2d2ec652acb85035827948bc365ffac0..e80cb27060a81b27aa96b2e7a96ec8c1123eed76 100644
*** a/src/Makefile.global.in
--- b/src/Makefile.global.in
*************** pgxsdir = $(pkglibdir)/pgxs
*** 159,164 ****
--- 159,165 ----
#
# Records the choice of the various --enable-xxx and --with-xxx options.
+ with_codesigning = @with_codesigning@
with_perl = @with_perl@
with_python = @with_python@
with_tcl = @with_tcl@
*************** perl_embed_ldflags = @perl_embed_ldflags
*** 283,288 ****
--- 284,290 ----
# Miscellaneous
AWK = @AWK@
+ CODESIGN = @CODESIGN@
LN_S = @LN_S@
MSGFMT = @MSGFMT@
MSGFMT_FLAGS = @MSGFMT_FLAGS@
diff --git a/src/backend/Makefile b/src/backend/Makefile
index 870a02292fcc9ce4f4f99cade49836d8f8876a51..114f2e58e3a642a693e85b64a265501117a157a4 100644
*** a/src/backend/Makefile
--- b/src/backend/Makefile
*************** ifneq ($(PORTNAME), aix)
*** 55,60 ****
--- 55,63 ----
postgres: $(OBJS)
$(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_EX) $(export_dynamic) $(call expand_subsys,$^) $(LIBS) -o $@
+ ifneq (,$(with_codesigning))
+ $(CODESIGN) --sign "$(with_codesigning)" $@ --force --verbose
+ endif
endif
endif
В списке pgsql-hackers по дате отправления: