Azure cli 2.45.0 - CryptographyDeprecationWarning: Blowfish has been deprecated

[tjackadams]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Related command
az webapp config ssl upload

Describe the bug

We receive the following error in the devops agent task logs when executing this command

##[error]/opt/az/lib/python3.10/site-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated

As a result, the pipeline task fails and the certificate is not uploaded.

To Reproduce

Open a terminal and login with managed identity

az login --identity

run the certificate upload command

az webapp config ssl upload --name <certificate name> --resource-group <resource group name> --certificate-file <certificate file path> --certificate-password <certificate password>

Expected behavior

The certificate to be uploaded successfully.

Environment summary

Linux-5.4.0-1101-azure-x86_64-with-glibc2.27, Ubuntu 18.04.6 LTS
Python 3.10.8
Installer: DEB

azure-cli 2.45.0

Additional context

Doesn't seem to be an issue with az cli 2.44.1

Possibly related paramiko/paramiko#2038

[yonzhan]

route to CXP team

[tjackadams]

I've downgraded the azure cli version to 2.44.1 and the certificate is uploaded successfully, so it seems to be an issue with azure cli 2.45.0

[paul-sk]

'--only-show-errors' option doesn't block this warning. As a result, PS script fails with error.

[alexander-kastil]

May be you should check also if this is causing the issue in #25443

[ghost]

The only thing which unblocked me was editing the file /usr/local/Cellar/azure-cli/2.45.0/libexec/lib/python3.10/site-packages/paramiko/transport.py at the line 236 (macOS).
I had to manually remove this block:

"blowfish-cbc": {
    "class": algorithms.Blowfish,
    "mode": modes.CBC,
    "block-size": 8,
    "key-size": 16,
},

After saving this transport.py file everything works correctly on azure-cli v2.45.0.

This is workaround, and I'd not recommend using it on Production.

[plynch66]

The only thing which unblocked me was editing the file /usr/local/Cellar/azure-cli/2.45.0/libexec/lib/python3.10/site-packages/paramiko/transport.py at the line 236 (macOS). I had to manually remove this block:

"blowfish-cbc": {
    "class": algorithms.Blowfish,
    "mode": modes.CBC,
    "block-size": 8,
    "key-size": 16,
},

After saving this transport.py file everything works correctly on azure-cli v2.45.0.

This is workaround, and I'd not recommend using it on Production.

If you're on Windows, you will find the file here :

"C:\Users\YOURUSERNAME.Azure\cliextensions\azure-cli-ml\paramiko"

[MmAtBosch]

Problem also occurs on other az web subcommands, like a simple:
az webapp list

/usr/local/Cellar/azure-cli/2.45.0/libexec/lib/python3.10/site-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
"class": algorithms.Blowfish,
[]

[seligj95]

Seems to be an issue across all az webapp commands. Investigating this and will follow up.

[seligj95]

Engineering identified the issued and opened a PR with a fix

[rahulbhansali2111]

While @tjackadams was able to get past the issue by downgrading the azure cli version to 2.44.1, I am wondering how can do something similar on AzDevOps (cloud) using microsoft hosted agents?

[dandenton]

If you're using the Azure CLI task the easiest workaround I found was temporarily unchecking the "Fail on Standard Error" option on the task under Advanced.

[alexander-kastil]

While @tjackadams was able to get past the issue by downgrading the azure cli version to 2.44.1, I am wondering how can do something similar on AzDevOps (cloud) using microsoft hosted agents?

@rahulbhansali2111 According to the software inventory the latest win and ubuntu agents have version 2.44.1 of azure cli installed

https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2204-Readme.md

[seanke]

We are having the same issue on the windows-2022 agent using the AzureCLI@2 task in Azure DevOps.

steps:
- task: AzureCLI@2
  displayName: '*** - Run deploy.ps1'
  inputs:
    azureSubscription: '***'
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
     export ARM_CLIENT_ID=$servicePrincipalId
     export ARM_CLIENT_SECRET=$servicePrincipalKey
     export ARM_TENANT_ID=$tenantId
     export ARM_SUBSCRIPTION_ID=$(az account show --query 'id' --output tsv)
     
     powershell ./***-deploy.ps1 -EnvironmentSuffix $(EnvironmentSuffix)
    addSpnToEnvironment: true
    workingDirectory: '$(System.DefaultWorkingDirectory)/***/cicd'
    failOnStandardError: true

The inline script runs perfectly fine, and then the task fails right at the very end with this error.

2023-02-15T23:33:20.0307879Z ##[error]D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
2023-02-15T23:33:20.0322035Z ##[error]Script has output to stderr. Failing as failOnStdErr is set to true.
2023-02-15T23:33:20.0462490Z [command]C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account clear"

Is there any known workaround or ETA?

[dandenton]

@seanke A temporary fix would be to change failOnStandardError: true to failOnStandardError: false

That will ignore the error (and any others) until the real fix goes into place, then you can revert the change.

[scottvossen-microsoft]

Engineering identified the issued and opened a PR with a fix

Any idea when it might be released?

[seligj95]

Any idea when it might be released?

Latest would be beginning of March with the release of version 2.46.0. Will need to follow up and see if this can go out earlier with a potential patch version.

[alexander-kastil]

@seligj95 … a 2.45.1 patch release would be great 🤫

[ChristopherMcEwenMoneyBox]

2.45.0

It looks like the DevOps-hosted agents all got updated to 2.45.0 and we are now seeing this issue in our pipelines.

Is there a way to specify the Azure CLI version for hosted agents?

[chriswue]

@seanke A temporary fix would be to change failOnStandardError: true to failOnStandardError: false

That will ignore the error (and any others) until the real fix goes into place, then you can revert the change.

This is not a practical solution

1. We have dozens of pipelines and changing them just to change them back is a lot of effort (even if the changes are small, someone has to actually do it, review it, merge it, monitor builds, etc.)
2. The main point is to have a pipeline fail if there is an actual problem - which is why failOnStandardError is set to true in the first place (it's the only way to get notified of certain errors). Removing this safety precaution is nuts just to workaround a bug in the ecosystem.

So please rollback the agent upgrade or release a hot-fix for AzCLI.

[skillbuilderzone]

/opt/az/lib/python3.10/site-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
##[error]Script failed with exit code: 1
/usr/bin/az account clear

Our pipeline have started failing as well. Please provide a hotfix or a better workaround.

[skillbuilderzone]

If it helps anyone using azcli@2 task :
Just before your AZ Cli task install the version that works for you using bash.
I have just tried and it works. I am rolling back to my previous working az cli version 2.44.1

• task: Bash@3
  inputs:
  targetType: 'inline'
  script: |
  # Write your commands here

  pip install azure-cli==2.44.1
  

  displayName: "Install AZ CLI 2.44.1"

[laureladastra]

@seanke A temporary fix would be to change failOnStandardError: true to failOnStandardError: false

That will ignore the error (and any others) until the real fix goes into place, then you can revert the change.

I would not recommend doing this, since other critical errors that need to be dealt with will be ignored and the pipeline is not idempotent anymore. Why is this issue closed when no solution or clear communication has been provided? The update failed quality assurance tests and it's unacceptable to expect us to add unsanitary code to cover this fuck up. Since the update introduces breaking changes, it should be rolled back. Even adding additional scripts to revert the version should not be accepted as a workaround. No one is able to do that for thousands of pipelines. Ignoring error handling completely is a disastrous recommendation.

[seligj95]

We apologize for the issues here. I've attempted to get a patch release with the fix applied but that doesn't look like it will happen. This issue was automatically closed when the linked PR with the fix was completed. This fix will go out with the next CLI release on March 7.

[lankaapura]

Lot of Azure pipelines are failing because of this issue and even Azure cloud shell has this issue. Could you please re-consider patching this to existing release?

We apologize for the issues here. I've attempted to get a patch release with the fix applied but that doesn't look like it will happen. This issue was automatically closed when the linked PR with the fix was completed. This fix will go out with the next CLI release on March 7.

[0mza987]

Same error here when I tried to use:
az webapp up xx

[kwacks]

So strange that this isn't cosndiered a breaking change or worthy enough for a hotfix. Lots of pipelines and tools broken (even in cloudshell) but there's no sense of urgency.
We opened tickets with Microsoft support and got bounced around and we eventually had to give up and run things manually.
Can't expresss the disappointment enough - why else are you here, Microsoft, if not to support customers and developers?

[seligj95]

Please update to the latest CLI version 2.46.0. This has been fixed.

[not-not-kevin]

The window-latest (version 20230307.2) image is using 2.46.0 now and has resolved the issue in my Windows pipelines. 🙌

When I can expect to see these changes rolled to the ubuntu-latest image? My logs show it's still using 2.45.0 (in version 20230305.1)

[bcouavoux]

Hello,
We have the same problem again with version 2.48.1 ... The warning messages are considered as errors and put all our pipelines in error. This is starting to be very problematic, we have to change our failOnStandardError parameter between true and false on more than a dozen pipelines every time. Please fix this quickly and permanently.

/usr/bin/az --version
azure-cli 2.48.1

##[error]WARNING: Readonly attribute name will be ignored in class <class 'azure.mgmt.resource.locks.v2016_09_01.models._models_py3.ManagementLockObject'>
WARNING: Readonly attribute name will be ignored in class <class 'azure.mgmt.resource.locks.v2016_09_01.models._models_py3.ManagementLockObject'>
##[error]Script has output to stderr. Failing as failOnStdErr is set to true.

[jiasli]

The topic of using failOnStderr is tracked by #18372.