Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]: Apple Certificate Fails to Install #19383

Closed
2 of 7 tasks
SharpMobileCode opened this issue Dec 14, 2023 · 7 comments
Closed
2 of 7 tasks

[BUG]: Apple Certificate Fails to Install #19383

SharpMobileCode opened this issue Dec 14, 2023 · 7 comments
Labels
Area: ABTT Akvelon Build Tasks Team area of work bug

Comments

@SharpMobileCode
Copy link

New issue checklist

Task name

InstallAppleCertificate@2

Task version

2

Issue Description

This is related to #18560, but since the work around is no longer working, I'm opening another issue.

When attempting to install the Apple Certificate with:

- task: InstallAppleCertificate@2
    displayName: 'Install Apple Distribution Certificate'
    name: iOSDistributionCertificate
    inputs:
      certSecureFile: '$(CertName)'
      certPwd: '$(iOSPrivateKeyPassword)'
      keychain: 'temp'
      opensslPkcsArgs: '-legacy'

I receive the following error:

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/<certNameRedacted>.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
unable to load certificate
140704383952640:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: Install Apple Distribution Certificate

The previous workaround in adding the opensslPkcsArgs: '-legacy' seemed to fix the issue in the past, with older versions of openssl. However, it seems that the macos-13 image now has a newer version of openssl in where the -legacy parameter has been removed. You can see the "Unrecognized flag legacy" message in the above log.

So how can I get my iOS Apple Certificate installed? I'm open to suggestion.

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

MacOS 13

Relevant log output

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/<certNameRedacted>.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
unable to load certificate
140704383952640:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: Install Apple Distribution Certificate

Full task logs with system.debug enabled

 ##[debug]loading SECRET_IOSPRIVATEKEYPASSWORD
##[debug]loaded 12
##[debug]Agent.ProxyUrl=undefined
##[debug]Agent.CAInfo=undefined
##[debug]Agent.ClientCert=undefined
##[debug]Agent.SkipCertValidation=undefined
##[debug]check path : /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.231.1/node_modules/azure-pipelines-tasks-ios-signing-common/module.json
##[debug]adding resource file: /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.231.1/node_modules/azure-pipelines-tasks-ios-signing-common/module.json
##[debug]system.culture=en-US
##[debug]check path : /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.231.1/task.json
##[debug]adding resource file: /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.231.1/task.json
##[debug]system.culture=en-US
##[debug]certSecureFile=531a576b-6fd5-41d6-af08-d67f77082b13
##[debug]opensslPkcsArgs=-legacy
##[debug]System.TeamFoundationCollectionUri=https://dev.azure.com/acr-devops/
##[debug]SYSTEMVSSCONNECTION auth param ACCESSTOKEN = ***
##[debug]Secure file retry count set to: 8
##[debug]Agent.ProxyUrl=undefined
##[debug]secure file name for id 531a576b-6fd5-41d6-af08-d67f77082b13 = .p12
##[debug]Agent.TempDirectory=/Users/runner/work/_temp
##[debug]Absolute path for pathSegments: /Users/runner/work/_temp,.p12 = /Users/runner/work/_temp/.p12
##[debug]Downloading secure file contents to: /Users/runner/work/_temp/.p12
##[debug]secure file ticket for id 531a576b-6fd5-41d6-af08-d67f77082b13 = ***
##[debug]SYSTEM.TEAMPROJECT=ACR Data Platform
##[debug]Downloaded secure file contents to: /Users/runner/work/_temp/.p12
##[debug]certPwd=***
##[debug]which 'openssl'
##[debug]found: '/usr/local/bin/openssl'
##[debug]which '/usr/local/bin/openssl'
##[debug]found: '/usr/local/bin/openssl'
##[debug]/usr/local/bin/openssl arg: ["pkcs12","-in","/Users/runner/work/_temp/.p12","-nokeys","-passin","pass:***","-legacy"]
##[debug]which '/usr/local/bin/openssl'
##[debug]found: '/usr/local/bin/openssl'
##[debug]/usr/local/bin/openssl arg: ["x509","-sha1","-noout","-fingerprint","-subject","-dates","-nameopt","utf8,sep_semi_plus_space"]
##[debug]exec tool: /usr/local/bin/openssl
##[debug]arguments:
##[debug]   pkcs12
##[debug]   -in
##[debug]   /Users/runner/work/_temp/.p12
##[debug]   -nokeys
##[debug]   -passin
##[debug]   pass:***
##[debug]   -legacy
/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
##[debug]success of first tool:false
unable to load certificate
140704744351488:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
##[debug]rc:1
##[debug]success:false
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[debug]Processed: ##vso[task.issue type=warning;]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[debug]task result: Failed
##[error]Error: /usr/local/bin/openssl failed with return code: 1
##[debug]Processed: ##vso[task.issue type=error;]Error: /usr/local/bin/openssl failed with return code: 1
##[debug]Processed: ##vso[task.complete result=Failed;]Error: /usr/local/bin/openssl failed with return code: 1
##[debug]secure file name for id 531a576b-6fd5-41d6-af08-d67f77082b13 = .p12
##[debug]Agent.TempDirectory=/Users/runner/work/_temp
##[debug]Absolute path for pathSegments: /Users/runner/work/_temp,.p12 = /Users/runner/work/_temp/.p12
##[debug]Deleting secure file at: /Users/runner/work/_temp/.p12
##[debug]rm -rf /Users/runner/work/_temp/.p12
##[debug]removing file
Finishing: Install Apple Distribution Certificate 

Repro steps

- task: InstallAppleCertificate@2
    displayName: 'Install Apple Distribution Certificate'
    name: iOSDistributionCertificate
    inputs:
      certSecureFile: '$(CertName)'
      certPwd: '$(iOSPrivateKeyPassword)'
      keychain: 'temp'
      opensslPkcsArgs: '-legacy'
@DmitriiBobreshev
Copy link
Contributor

Hi @SharpMobileCode, Thank you for the feedback! As I see openssl 3.1.4 and openssl 3.2 contains -legacy option which wasn't deprecated now.

Also, the error itself is different and not say that you have an old/unsupported certificate, are you sure that you're passing a valid certificate? Also could you please try to remove opensslPkcsArgs: '-legacy' and check will the error change?

@DmitriiBobreshev DmitriiBobreshev added Area: ABTT Akvelon Build Tasks Team area of work and removed Area: Release triage labels Dec 14, 2023
@SharpMobileCode
Copy link
Author

Hi @DmitriiBobreshev, thanks for response. I took at the certificate file again and it seem to have been corrupted in transit to me. When I would manually tried to install it I got an error. I had it regenerated and verified the new one wasn't corrupted. Uploaded to the Secure File Storage and now it seems to be working. So it seems it was just a bad file!

My apologizes, no bug intended. Thanks for the feedback!

@shatodj
Copy link

shatodj commented Nov 14, 2024

The issue is reappearing in macos-15 (preview) Xcode 16

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/<redacted>.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
Error outputting keys and certificates
<redacted>:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Could not find certificate from <stdin>
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: InstallAppleCertificate

@amit-thapa
Copy link

The issue is reappearing in macos-15 (preview) Xcode 16

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/<redacted>.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
Error outputting keys and certificates
<redacted>:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Could not find certificate from <stdin>
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: InstallAppleCertificate

Is there any resolution to this? I have the same problem also with macos-15. Had to change to macos-15 because XCode 16 was no longer supported on macos-14.

@MrzJkl
Copy link

MrzJkl commented Nov 16, 2024

This affects me too :(

@Cynnexis
Copy link

We experience this bug intermittently on macOS 15.0, this is a big hindrance for our team.

@shatodj
Copy link

shatodj commented Nov 22, 2024

#20669

As a workaround for now, I suggest you try the approach described here: actions/runner-images#10703 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: ABTT Akvelon Build Tasks Team area of work bug
Projects
None yet
Development

No branches or pull requests

6 participants