Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]: InstallAppleCertificate STILL fails to install certificates #19607

Open
3 of 7 tasks
AlphaNERD- opened this issue Mar 5, 2024 · 23 comments
Open
3 of 7 tasks

[BUG]: InstallAppleCertificate STILL fails to install certificates #19607

AlphaNERD- opened this issue Mar 5, 2024 · 23 comments
Labels

Comments

@AlphaNERD-
Copy link

New issue checklist

Task name

InstallAppleCertificate@2

Task version

2.231.1

Issue Description

Hello Azure DevOps devs,

i've begun to rebuild my CD pipeline as part of an ongoing migration of my iOS app to .NET 8. Currently my pipeline keeps failing at the InstallAppleCertificate task.

I've made sure that the certificate and provisioning profile are up-to-date and i've looked up the issue on GitHub. People have suggested to pass the flag -legacy to the task whenever the issue was reported, however the -legacy flag is not recognized by openssl. The latest Github Issue ended with a user still facing this issue, however the issue was closed solely because the -legacy flag was passed on to openssl. (#19436). The user still couldn't install the certificate.

Another issue (#19383) was closed because the user regenerated their certificate and yet another issue (#18560) was closed because of... i don't know, because nobody reported it as fixed or as going stale or whatever. Someone suggested that the OpenSSL version was outdated, however i don't know how to update it or whether i can update it on hosted images. I tried out Microsoft's images macos-11, macos-12 and macos-13 too.

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

macos-13

Relevant log output

Starting: Install Certificate
==============================================================================
Task         : Install Apple certificate
Description  : Install an Apple certificate required to build on a macOS agent machine
Version      : 2.231.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/install-apple-certificate
==============================================================================
/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/ios_distribution.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
unable to load certificate
4657255936:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: Install Certificate

Full task logs with system.debug enabled

 [REPLACE THIS WITH YOUR INFORMATION] 

Repro steps

- task: InstallAppleCertificate@2
  displayName: 'Install Certificate'
  inputs:
    certSecureFile: 'ios_distribution.p12'
    certPwd: '$(Passwort)'
    keychain: 'temp'
    deleteCert: true
@kirill-ivlev
Copy link
Contributor

@AlphaNERD- thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one soon.

@AlphaNERD-
Copy link
Author

Uuuh... devs... When is "soon" happening? The build is still failing more than 60 days later.

@Vandersteen
Copy link

For me the issue was that I exported only they key and not the key and certificate (using keychain access)
Make sure you select both before you export

@AlphaNERD-
Copy link
Author

Just to be sure, how do you do it? And how do you use them in the YAML pipeline?

@Vandersteen
Copy link

In keychain access, select both the key & cert then right click to export to .p12

@AlphaNERD-
Copy link
Author

Unfortunately that didn't help. I sure wonder when Microsoft will help... Or whether DevOps is getting the Visual Studio App Center treatment.

@matt-goldman
Copy link

I kind of found a workaround for this. I say "kind of" because I don't recommend anyone does this. But essentially I just downloaded and installed the certificate myself:

 - task: DownloadSecureFile@1
    name: downloadDevCert
    displayName: 'Download Apple Certificate'
    inputs:
      secureFile: 'yourcertificate.p12'

  - bash: |
      echo "Received secret: $CERT_PASSWORD"
      security import $(downloadDevCert.secureFilePath) -k ~/Library/Keychains/login.keychain -P yourp4ww0rdw!ch!sn0l0ng3r53cur3
    env:
      CERT_PASSWORD: $(P12password)
    displayName: 'Install signing certificate'

The reason I don't recommend anyone does this is because the secrets don't work. The output just shows:

Received secret: $(P12password)

Instead of what I expect to see which is:

Received secret: ****

Which is why I've put the secret directly in the command and why I say it's no longer secure. But at least this got me over this specific bump.

I've tried this a few different ways (and followed the docs) but if someone can explain to me what I'm doing wrong, and perhaps make this a viable (and secure) workaround for others, then that would be appreciated.

@matt-lethargic
Copy link

It's good to see that in the tradition of this issue it's just being ignored and left to go stale!!! ;-)
Currently facing this having moved from Microsoft hosted mac build agents to self hosted

@weeb-destroyer
Copy link

I kind of found a workaround for this. I say "kind of" because I don't recommend anyone does this. But essentially I just downloaded and installed the certificate myself:

  • task: DownloadSecureFile@1
    name: downloadDevCert
    displayName: 'Download Apple Certificate'
    inputs:
    secureFile: 'yourcertificate.p12'

  • bash: |
    echo "Received secret: $CERT_PASSWORD"
    security import $(downloadDevCert.secureFilePath) -k ~/Library/Keychains/login.keychain -P yourp4ww0rdw!ch!sn0l0ng3r53cur3
    env:
    CERT_PASSWORD: $(P12password)
    displayName: 'Install signing certificate'
    The reason I don't recommend anyone does this is because the secrets don't work. The output just shows:

Received secret: $(P12password)
Instead of what I expect to see which is:

Received secret: ****
Which is why I've put the secret directly in the command and why I say it's no longer secure. But at least this got me over this specific bump.

I've tried this a few different ways (and followed the docs) but if someone can explain to me what I'm doing wrong, and perhaps make this a viable (and secure) workaround for others, then that would be appreciated.

In Azure Pipeline library variables, right next to the value field there is a lock icon
Image
which can help you secure the value

@matt-goldman
Copy link

I kind of found a workaround for this. I say "kind of" because I don't recommend anyone does this. But essentially I just downloaded and installed the certificate myself:

  • task: DownloadSecureFile@1
    name: downloadDevCert
    displayName: 'Download Apple Certificate'
    inputs:
    secureFile: 'yourcertificate.p12'

  • bash: |
    echo "Received secret: $CERT_PASSWORD"
    security import $(downloadDevCert.secureFilePath) -k ~/Library/Keychains/login.keychain -P yourp4ww0rdw!ch!sn0l0ng3r53cur3
    env:
    CERT_PASSWORD: $(P12password)
    displayName: 'Install signing certificate'
    The reason I don't recommend anyone does this is because the secrets don't work. The output just shows:

Received secret: $(P12password)
Instead of what I expect to see which is:

Received secret: ****
Which is why I've put the secret directly in the command and why I say it's no longer secure. But at least this got me over this specific bump.

I've tried this a few different ways (and followed the docs) but if someone can explain to me what I'm doing wrong, and perhaps make this a viable (and secure) workaround for others, then that would be appreciated.

In Azure Pipeline library variables, right next to the value field there is a lock icon
Image
which can help you secure the value

The issue is specifically that this doesn't work. Hence the workaround of entering the value directly into the pipeline.

@weeb-destroyer
Copy link

I kind of found a workaround for this. I say "kind of" because I don't recommend anyone does this. But essentially I just downloaded and installed the certificate myself:

  • task: DownloadSecureFile@1
    name: downloadDevCert
    displayName: 'Download Apple Certificate'
    inputs:
    secureFile: 'yourcertificate.p12'
  • bash: |
    echo "Received secret: $CERT_PASSWORD"
    security import $(downloadDevCert.secureFilePath) -k ~/Library/Keychains/login.keychain -P yourp4ww0rdw!ch!sn0l0ng3r53cur3
    env:
    CERT_PASSWORD: $(P12password)
    displayName: 'Install signing certificate'
    The reason I don't recommend anyone does this is because the secrets don't work. The output just shows:

Received secret: $(P12password)
Instead of what I expect to see which is:
Received secret: ****
Which is why I've put the secret directly in the command and why I say it's no longer secure. But at least this got me over this specific bump.
I've tried this a few different ways (and followed the docs) but if someone can explain to me what I'm doing wrong, and perhaps make this a viable (and secure) workaround for others, then that would be appreciated.

In Azure Pipeline library variables, right next to the value field there is a lock icon
Image
which can help you secure the value

The issue is specifically that this doesn't work. Hence the workaround of entering the value directly into the pipeline.

Did you declare your variables?
Image
Image
I have a group of variables named 'Mobile App Variables', and I declared it at the top of my yaml file

trigger:
- development

variables:
- group: 'Mobile App Variables'
- name: flutterVersion
  value: '3.22.2'

Then I can use the variable normally like this

    - bash: |
        security import $(appleCertificate.secureFilePath) -k ~/Library/Keychains/login.keychain -P $CERT_PASSWORD
      displayName: 'Install Apple Certificate'         
      env:
        CERT_PASSWORD: $(distribution.p12-password)

@matt-goldman
Copy link

@weeb-destroyer of course, been using other secrets throughout the pipeline. It was just this one not working. This was months ago, perhaps it's been fixed, perhaps was a glitch. Given it's been building smoothly since then I haven't gone back and checked but I suppose I should.

@angularsen
Copy link

angularsen commented Nov 8, 2024

This suddenly started happening for us today, with an Apple certificate created 7 months ago so not really that old.
I assumed some CI agent tooling was upgraded and starting going through the various workarounds of passing -legacy flag, manually upgrading OpenSSL and manually installing the cert, but then it suddenly resolved itself again after a few hours.

I suspected maybe a particular macOS VM image version was bad, but I got both good and bad builds on the exact same versions:

  • Image: macos-14 Version: 20241022.254
  • Image: macos-14 Version: 20241106.300

When debugging, the bad builds used OpenSSL 1.1.1w

- script: |
    which openssl
    /usr/bin/openssl version
    openssl version
  displayName: OpenSSL stuff
  condition: always()

Output:

/usr/local/bin/openssl
OpenSSL 1.1.1w  11 Sep 2023
LibreSSL 3.3.6

Posting this for anyone else having similar, flaky issues.

Related:
microsoft/azure-pipelines-tasks-common-packages#353
openssl/openssl#23089 (comment)

@Krisore
Copy link

Krisore commented Nov 8, 2024

Yes it happens to me today, I cant build when I pass -legacy on openssl argument it solved for one succeeding build but when I rebuild my app is says

pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
unable to load certificate
140704456046208:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

@CatalinPrata
Copy link

CatalinPrata commented Nov 8, 2024

Same for me. Today the same config and certs worked well but a few hours later it fails with:

Starting: Install an Apple certificate

==============================================================================

Task : Install Apple certificate
Description : Install an Apple certificate required to build on a macOS agent machine
Version : 2.246.5
Author : Microsoft Corporation
Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/install-apple-certificate

==============================================================================

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/Development.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
unable to load certificate
140704478854656:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: Install an Apple certificate

What happened? How can we fix this?

@Krisore
Copy link

Krisore commented Nov 8, 2024

This a work around for me but I hardcoded the cert pass for now this script can't read a variable even I add a env: parameter it always empty value.

  • task: DownloadSecureFile@1
    name: downloadDefaultCert
    displayName: 'Download Apple Certificate'
    inputs:
    secureFile: 'P12 FILE HERE'

  • task: Bash@3
    displayName: Install Apple Certificate
    inputs:
    targetType: 'inline'
    script: |
    echo "Installing signing certificate..."
    CERT_PASSWORD="YourHardcodedPasswordHere" # Hardcoded password for testing
    if [ -z "$CERT_PASSWORD" ]; then
    echo "ERROR: CERT_PASSWORD is empty. Please check your password."
    exit 1
    fi

    Import the certificate using the password

    security import $(downloadDefaultCert.secureFilePath) -k ~/Library/Keychains/login.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign
    echo "Certificate installed successfully."

@CatalinPrata
Copy link

Some info about my case, I have 2 jobs running one for release and one for dev. It seems that the first one fails and the second one passes, no mater which one is the first one. As mentioned already this worked perfectly till some hours ago.

@CatalinPrata
Copy link

CatalinPrata commented Nov 8, 2024

This a work around for me but I hardcoded the cert pass for now this script can't read a variable even I add a env: parameter it always empty value.

  • task: DownloadSecureFile@1
    name: downloadDefaultCert
    displayName: 'Download Apple Certificate'
    inputs:
    secureFile: 'P12 FILE HERE'
  • task: Bash@3
    displayName: Install Apple Certificate
    inputs:
    targetType: 'inline'
    script: |
    echo "Installing signing certificate..."
    CERT_PASSWORD="YourHardcodedPasswordHere" # Hardcoded password for testing
    if [ -z "$CERT_PASSWORD" ]; then
    echo "ERROR: CERT_PASSWORD is empty. Please check your password."
    exit 1
    fi

    Import the certificate using the password

    security import $(downloadDefaultCert.secureFilePath) -k ~/Library/Keychains/login.keychain -P "$CERT_PASSWORD" -T /usr/bin/codesign
    echo "Certificate installed successfully."

~~ Indeed downloading the cert before installing it worked for me... maybe the install cert plugin doesn't download it anymore? ~~

EDIT:
Doesn't work with image version '20241108.322' which seems to set automatically on my end and I don't know how to change it.. worked ok with '20241022.254' .. there's another issue opened here #20628 about this.

@thisisthekap
Copy link

thisisthekap commented Nov 11, 2024

Seems like Microsoft published a fix in macos-15 20241106.316.

With macos-15 20241022.244 I still see failing builds with "pkcs12: Unrecognized flag legacy" warning included.

The unfortunate thing: 20241106.316 does not seem to be published to all hosted agents as of now.

Edit: It seems like we need "-legacy" for 20241106.316, but need to omit it for 20241022.244. This way both configurations work fine. But as of now I do not see a way to determine the exact image version and decide if -legacy is added in yaml.

@arnauZurich
Copy link

arnauZurich commented Nov 13, 2024

Thanks @thisisthekap! Same problem here.

In my case I'm not including the "legacy" flag, so it succeeds in macos-15 20241022.244 and fails in macos-15 20241106.316.

@thisisthekap
Copy link

@arnauZurich As @mjosipovic-tgr suggested in actions/runner-images#10703 (comment), you could use 2 copies of the InstallAppleCertificate task. One with -legacy, one without. Works fine on our side.

@arnauZurich
Copy link

@thisisthekap Thanks! It worked on our side too!

@nk54
Copy link

nk54 commented Dec 3, 2024

@arnauZurich As @mjosipovic-tgr suggested in actions/runner-images#10703 (comment), you could use 2 copies of the InstallAppleCertificate task. One with -legacy, one without. Works fine on our side.

and add condition: Failed() on the second one with -legacy ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests