Tom Lane
2014-10-21 17:16:46 UTC
If you do any Postgres development on OS X, you've probably gotten
seriously annoyed by the way that, every single time you reinstall the
postmaster executable, you get a dialog box asking whether you'd like
to allow it to accept incoming network connections. (At least, you
do unless you disable the OS firewall, which is not a great idea.)
It's particularly awful to run "make check-world" in this environment,
because you get a pop-up for each test install.
My Salesforce colleagues researched how to fix this, and found out
that it can be suppressed if you sign the postgres executable, which
you can easily do with a self-signed certificate. Once you've allowed
or denied network connections for a signed executable, you don't get
prompted again when the executable is replaced, so long as it's at
the same file path and signed with the same certificate. So you only
have to dismiss the dialogs once more during a check-world run, and
you're done seeing them. (Tested on Mavericks and Yosemite, have not
tried anything older.)
Accordingly, we'd like to propose something like the attached patch
to add an optional signing step to the build process. It lacks any
documentation ATM, but if there are not objections to the basic idea
I'll write some.
regards, tom lane
seriously annoyed by the way that, every single time you reinstall the
postmaster executable, you get a dialog box asking whether you'd like
to allow it to accept incoming network connections. (At least, you
do unless you disable the OS firewall, which is not a great idea.)
It's particularly awful to run "make check-world" in this environment,
because you get a pop-up for each test install.
My Salesforce colleagues researched how to fix this, and found out
that it can be suppressed if you sign the postgres executable, which
you can easily do with a self-signed certificate. Once you've allowed
or denied network connections for a signed executable, you don't get
prompted again when the executable is replaced, so long as it's at
the same file path and signed with the same certificate. So you only
have to dismiss the dialogs once more during a check-world run, and
you're done seeing them. (Tested on Mavericks and Yosemite, have not
tried anything older.)
Accordingly, we'd like to propose something like the attached patch
to add an optional signing step to the build process. It lacks any
documentation ATM, but if there are not objections to the basic idea
I'll write some.
regards, tom lane