Mac Toolchain is Unsigned?


(Fastmail) #1

Merry Christmas all,

While I wait for the rest of the family to arrive and the kids are slowly going insane staring at presents, I’m doing some Swift dev. However, I note that the latest Mac snapshot is unsigned – has it always been this way? The installer displays the lock, but I have to option-click on the package to actually get it running.

I’ve installed it anyway. I’m not carrying any state secrets, I hope?

Family’s here, gotta go!

Tom


(Dmitri Gribenko) #2

Merry Christmas all,

While I wait for the rest of the family to arrive and the kids are slowly going insane staring at presents, I’m doing some Swift dev. However, I note that the latest Mac snapshot is unsigned – has it always been this way? The installer displays the lock, but I have to option-click on the package to actually get it running.

Hi Tom,

I just checked, it is signed. Here’s the SHA-1 hash on my end:

68e2ba878d2c9803bbfda760b24b399e8ada4f79
swift-2.2-SNAPSHOT-2015-12-22-a-osx.pkg

But, it is not downloaded from the App store. Check your "System
preferences" > "Security and privacy" > "General" page. If you have
it set to "Mac App store only" then it would explain what you are
seeing.

I’ve installed it anyway. I’m not carrying any state secrets, I hope?

Well, code signing is meant to allow you to ensure that the toolchain
that you are installing was indeed built by the Swift Open Source
project (and not, say, some attacker who is planting a
man-in-the-middle attack while you are downloading it).

To double-check, you can use the SHA-1 hash I pasted above.

Dmitri

···

On Fri, Dec 25, 2015 at 4:38 AM, swizzlr via swift-users <swift-users@swift.org> wrote:

--
main(i,j){for(i=2;;i++){for(j=2;j<i;j++){if(!(i%j)){j=0;break;}}if
(j){printf("%d\n",i);}}} /*Dmitri Gribenko <gribozavr@gmail.com>*/