[OS X Emacs] many thanks and two website security questions

John Wroclawski jtw at csail.mit.edu
Wed Dec 11 12:38:05 EST 2019

It’s also worth keeping in mind that the executable is signed by an apple developer certificate as part of the creation process, and the signature verified each time the program is first run on a new machine. David knows this because in 3.5 it’s his certificate that signed it :).

I was wondering whether the signature covered all of the distributed lisp files as well - emacs could be a slightly interesting case for Apple codesigning, and there’s room for either answer - but on very quick look it seems that it does. Whoever built the distributed version could probably comment further..

So I’d never particularly want to argue against a secured distribution channel, but it’s not clear that it’s terribly critical here either - there’s a good mechanism in place to verify the distributed program in any case.

cheers, -john

> On Dec 11, 2019, at 2:50 AM, David Reitter <david.reitter at gmail.com> wrote:
> Can you check how the .dmg does actually get downloaded?   I believe it’s https.  From Github. 
> David
> On Dec 11, 2019, 03:14 -0500, Sandy C <windoverwater at gmail.com>, wrote:
>> Hi,
>> Thanks for all the work - aquamacs is a great MacOS app.
>> Regarding the http://aquamacs.org website, would it be possible to supply some type of verification on the download file?

More information about the MacOSX-Emacs mailing list