Getting rid of "accept incoming network connections" prompts on OS X
От | Tom Lane |
---|---|
Тема | Getting rid of "accept incoming network connections" prompts on OS X |
Дата | |
Msg-id | 6804.1413911806@sss.pgh.pa.us обсуждение исходный текст |
Ответы |
Re: Getting rid of "accept incoming network connections"
prompts on OS X
(Robert Haas <robertmhaas@gmail.com>)
Re: Getting rid of "accept incoming network connections" prompts on OS X (Peter Eisentraut <peter_e@gmx.net>) Re: Getting rid of "accept incoming network connections" prompts on OS X (edward745 <cedward345@gmail.com>) |
Список | pgsql-hackers |
If you do any Postgres development on OS X, you've probably gotten seriously annoyed by the way that, every single time you reinstall the postmaster executable, you get a dialog box asking whether you'd like to allow it to accept incoming network connections. (At least, you do unless you disable the OS firewall, which is not a great idea.) It's particularly awful to run "make check-world" in this environment, because you get a pop-up for each test install. My Salesforce colleagues researched how to fix this, and found out that it can be suppressed if you sign the postgres executable, which you can easily do with a self-signed certificate. Once you've allowed or denied network connections for a signed executable, you don't get prompted again when the executable is replaced, so long as it's at the same file path and signed with the same certificate. So you only have to dismiss the dialogs once more during a check-world run, and you're done seeing them. (Tested on Mavericks and Yosemite, have not tried anything older.) Accordingly, we'd like to propose something like the attached patch to add an optional signing step to the build process. It lacks any documentation ATM, but if there are not objections to the basic idea I'll write some. regards, tom lane diff --git a/configure.in b/configure.in index 527b0762053e38af39c72ad137f52195f81a722b..bf31ecbecd1fbee614152c7fc4ffd709618765da 100644 *** a/configure.in --- b/configure.in *************** AC_CHECK_PROGS(OSX, [osx sgml2xml sx]) *** 1877,1882 **** --- 1877,1912 ---- # AC_CHECK_PROGS(PROVE, prove) + # + # Do code-signing? (currently only for OS X) + # + PGAC_ARG_REQ(with, codesigning, [STRING], + [use certificate STRING to code-sign binaries]) + AC_SUBST(with_codesigning) + + if test ! -z "$with_codesigning"; then + if test "$PORTNAME" = "darwin"; then + + AC_CHECK_PROGS(SECURITY, security) + AC_CHECK_PROGS(CODESIGN, codesign) + + AC_MSG_CHECKING([valid identity for codesigning]) + cs_valid_identities=`$SECURITY find-identity -p codesigning | sed -n -E -e '/Valid identities only/,$ p' | sed '1 d'| grep "\"$with_codesigning\"" | wc -l` + if test $cs_valid_identities -lt 1; then + AC_MSG_ERROR([No valid identity '$with_codesigning' found.]) + elif test $cs_valid_identities -gt 1; then + AC_MSG_ERROR([Ambiguous identity '$with_codesigning'.]) + else + AC_MSG_RESULT([$with_codesigning]) + fi; + + else + + AC_MSG_ERROR([--with-codesigning is not supported for $PORTNAME port]) + + fi; + fi; + # Thread testing # We have to run the thread test near the end so we have all our symbols diff --git a/configure b/configure index f0580ceb5e5dcb3fdae2789f29eaf3bc757d08ae..f222fd30a7c68457f7d614597f81e9d9425e3a3e 100755 *** a/configure --- b/configure *************** ac_includes_default="\ *** 627,632 **** --- 627,635 ---- ac_subst_vars='LTLIBOBJS vpath_build + CODESIGN + SECURITY + with_codesigning PROVE OSX XSLTPROC *************** with_gnu_ld *** 838,843 **** --- 841,847 ---- enable_largefile enable_float4_byval enable_float8_byval + with_codesigning ' ac_precious_vars='build_alias host_alias *************** Optional Packages: *** 1524,1529 **** --- 1528,1535 ---- use system time zone data in DIR --without-zlib do not use Zlib --with-gnu-ld assume the C compiler uses GNU ld [default=no] + --with-codesigning=STRING + use certificate STRING to code-sign binaries Some influential environment variables: CC C compiler command *************** fi *** 14785,14790 **** --- 14791,14929 ---- done + # + # Do code-signing? (currently only for OS X) + # + + + + # Check whether --with-codesigning was given. + if test "${with_codesigning+set}" = set; then : + withval=$with_codesigning; + case $withval in + yes) + as_fn_error $? "argument required for --with-codesigning option" "$LINENO" 5 + ;; + no) + as_fn_error $? "argument required for --with-codesigning option" "$LINENO" 5 + ;; + *) + + ;; + esac + + fi + + + + + if test ! -z "$with_codesigning"; then + if test "$PORTNAME" = "darwin"; then + + for ac_prog in security + do + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 + $as_echo_n "checking for $ac_word... " >&6; } + if ${ac_cv_prog_SECURITY+:} false; then : + $as_echo_n "(cached) " >&6 + else + if test -n "$SECURITY"; then + ac_cv_prog_SECURITY="$SECURITY" # Let the user override the test. + else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR + for as_dir in $PATH + do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_SECURITY="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi + done + done + IFS=$as_save_IFS + + fi + fi + SECURITY=$ac_cv_prog_SECURITY + if test -n "$SECURITY"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SECURITY" >&5 + $as_echo "$SECURITY" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi + + + test -n "$SECURITY" && break + done + + for ac_prog in codesign + do + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 + $as_echo_n "checking for $ac_word... " >&6; } + if ${ac_cv_prog_CODESIGN+:} false; then : + $as_echo_n "(cached) " >&6 + else + if test -n "$CODESIGN"; then + ac_cv_prog_CODESIGN="$CODESIGN" # Let the user override the test. + else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR + for as_dir in $PATH + do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CODESIGN="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi + done + done + IFS=$as_save_IFS + + fi + fi + CODESIGN=$ac_cv_prog_CODESIGN + if test -n "$CODESIGN"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CODESIGN" >&5 + $as_echo "$CODESIGN" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi + + + test -n "$CODESIGN" && break + done + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking valid identity for codesigning" >&5 + $as_echo_n "checking valid identity for codesigning... " >&6; } + cs_valid_identities=`$SECURITY find-identity -p codesigning | sed -n -E -e '/Valid identities only/,$ p' | sed '1 d'| grep "\"$with_codesigning\"" | wc -l` + if test $cs_valid_identities -lt 1; then + as_fn_error $? "No valid identity '$with_codesigning' found." "$LINENO" 5 + elif test $cs_valid_identities -gt 1; then + as_fn_error $? "Ambiguous identity '$with_codesigning'." "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_codesigning" >&5 + $as_echo "$with_codesigning" >&6; } + fi; + + else + + as_fn_error $? "--with-codesigning is not supported for $PORTNAME port" "$LINENO" 5 + + fi; + fi; + # Thread testing # We have to run the thread test near the end so we have all our symbols diff --git a/src/Makefile.global.in b/src/Makefile.global.in index e76b22fb2d2ec652acb85035827948bc365ffac0..e80cb27060a81b27aa96b2e7a96ec8c1123eed76 100644 *** a/src/Makefile.global.in --- b/src/Makefile.global.in *************** pgxsdir = $(pkglibdir)/pgxs *** 159,164 **** --- 159,165 ---- # # Records the choice of the various --enable-xxx and --with-xxx options. + with_codesigning = @with_codesigning@ with_perl = @with_perl@ with_python = @with_python@ with_tcl = @with_tcl@ *************** perl_embed_ldflags = @perl_embed_ldflags *** 283,288 **** --- 284,290 ---- # Miscellaneous AWK = @AWK@ + CODESIGN = @CODESIGN@ LN_S = @LN_S@ MSGFMT = @MSGFMT@ MSGFMT_FLAGS = @MSGFMT_FLAGS@ diff --git a/src/backend/Makefile b/src/backend/Makefile index 870a02292fcc9ce4f4f99cade49836d8f8876a51..114f2e58e3a642a693e85b64a265501117a157a4 100644 *** a/src/backend/Makefile --- b/src/backend/Makefile *************** ifneq ($(PORTNAME), aix) *** 55,60 **** --- 55,63 ---- postgres: $(OBJS) $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_EX) $(export_dynamic) $(call expand_subsys,$^) $(LIBS) -o $@ + ifneq (,$(with_codesigning)) + $(CODESIGN) --sign "$(with_codesigning)" $@ --force --verbose + endif endif endif
В списке pgsql-hackers по дате отправления: