search

AsahiLinux / asahi-installer

Asahi Linux installer
MIT License
808 stars 107 forks source link

[Tracker] Certificate validation issues #107

Closed marcan closed 2 years ago

marcan commented 2 years ago

If your issue got duped to this one: please mention your country, network type (home, corporate, educational, mobile), whether your Mac is running any MDM/device tracking type software, and then run the following command and paste the full output.

openssl s_client -showcerts -connect updates.cdn-apple.com:443 < /dev/null

Unclear if this is due to missing legitimate certs in our bundle, missing dubious certs in our bundle (e.g. country CAs which we don't ship), or people being blatantly MITMed by their network.

jannau commented 2 years ago

On June 14th Apple's CDN used an intermediate cert that was signed by an old GeoTrust / Symantec certificate that was universally distrusted a couple of years ago. AS3320 (Germany). Today is signed by a by Cybertrust root certificate and the verification succeeds.

echo | openssl s_client -showcerts -connect updates.cdn-apple.com:https
CONNECTED(00000003)
depth=1 CN = Apple IST CA 8 - G1, OU = Certification Authority, O = Apple Inc., C = US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = updates.cdn-apple.com, O = Apple Inc., ST = California, C = US
verify return:1
---
Certificate chain
 0 s:CN = updates.cdn-apple.com, O = Apple Inc., ST = California, C = US
   i:CN = Apple IST CA 8 - G1, OU = Certification Authority, O = Apple Inc., C = US
-----BEGIN CERTIFICATE-----
MIIGezCCBiGgAwIBAgIQHOg1skGYHay+dsf/JKSZMTAKBggqhkjOPQQDAjBiMRww
GgYDVQQDDBNBcHBsZSBJU1QgQ0EgOCAtIEcxMSAwHgYDVQQLDBdDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw
HhcNMjIwNjEzMTY1NDMyWhcNMjMwNzEzMTY1NDMxWjBXMR4wHAYDVQQDDBV1cGRh
dGVzLmNkbi1hcHBsZS5jb20xEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgM
CkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEsTXluPYDh2xVLDFk4y0P/dAk2Ec4IyANYzgFJ6GW5geFgz2joRbV3AnDXM0P
vKVlxPlYBieXQ1vAjO9N6CWiw6OCBMIwggS+MAwGA1UdEwEB/wQCMAAwHwYDVR0j
BBgwFoAUw8SkWAVj14MGupaN3LKPMva7t0EwgbkGCCsGAQUFBwEBBIGsMIGpMDcG
CCsGAQUFBzAChitodHRwOi8vY2VydHMuYXBwbGUuY29tL2FwcGxlaXN0Y2E4ZzFf
YmMuY2VyMDQGCCsGAQUFBzAChihodHRwOi8vY2VydHMuYXBwbGUuY29tL2FwcGxl
aXN0Y2E4ZzEuZGVyMDgGCCsGAQUFBzABhixodHRwOi8vb2NzcC5hcHBsZS5jb20v
b2NzcDAzLWFwcGxlaXN0Y2E4ZzExMTAgBgNVHREEGTAXghV1cGRhdGVzLmNkbi1h
cHBsZS5jb20wggEHBgNVHSAEgf8wgfwwCAYGZ4EMAQICMIHvBgoqhkiG92NkBQsE
MIHgMDcGCCsGAQUFBwIBFitodHRwczovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNh
dGVhdXRob3JpdHkvMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9uIHRoaXMg
Y2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiBh
bnkgYXBwbGljYWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UgYW5kL29y
IGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wEwYDVR0lBAwwCgYI
KwYBBQUHAwEwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20v
YXBwbGVpc3RjYThnMS5jcmwwHQYDVR0OBBYEFE92xCAs+hIYUSy13NIUCwztiW9r
MA4GA1UdDwEB/wQEAwIDiDAsBgoqhkiG92NkBjABBB4MHDEuMi44NDAuMTEzNjM1
LjEwMC42LjI3LjQwLjIwggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB3ALNzdwfh
hFD4Y4bWBancEQlKeS2xZwwLh9zwAw55NqWaAAABgV4GMugAAAQDAEgwRgIhAISK
QA7HkLz2No0AEeskxW+8RvhfnT8lR25gZlW9IRxRAiEA+WEIfldauBCo+gfNzSIk
Y256cDwIlGC0dUsarB2jxKEAdwDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9
bQa9bgAAAYFeBjMgAAAEAwBIMEYCIQDPlCx9lD+lSRrPXxnrkuVxQUR2+dpbpMp7
veEK+pQhWAIhAPDBtSYLuOQNOjfNYnxeZ12Z2ssDEujlAX9VHB0rbMDZAHUAejKM
VNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGBXgYzfAAABAMARjBEAiAQ
BdHdbOvG/iyohOMz9AgHAaQrjjq9rynE2DTu0kytlwIgQYmfpoI9x98Jcoib7kTI
t+EF7TvMfohOsMEwfon3O6wAdgA1zxkbv7FsV78PrUxtQsu7ticgJlHqP+Eq76gD
wzvWTAAAAYFeBjNwAAAEAwBHMEUCIQCWa++2rusPSzG3UT5i9WXTr4x+pE7fGKeX
UvMsNOgqNQIgQ9W7Jr/a9JNFKx+QYSrnC5dD278HuCr3Zf2cfVc0BwAwCgYIKoZI
zj0EAwIDSAAwRQIhAM4gjPPI3lHEXafyG29CCKwE/8/vzV1OO3Rrw32FAYn3AiAb
kqPHnkeang4C4rLIItpEtOwSpq6PMYloVPQg3i8nlQ==
-----END CERTIFICATE-----
 1 s:CN = Apple IST CA 8 - G1, OU = Certification Authority, O = Apple Inc., C = US
   i:C = US, O = GeoTrust Inc., OU = (c) 2007 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G2
-----BEGIN CERTIFICATE-----
MIIDVDCCAtugAwIBAgIQE1Iuv8HdXOEe8nZAdR/n3zAKBggqhkjOPQQDAzCBmDEL
MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj
KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2
MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eSAtIEcyMB4XDTE2MDYwOTAwMDAwMFoXDTMxMDYwODIzNTk1OVowYjEcMBoGA1UE
AwwTQXBwbGUgSVNUIENBIDggLSBHMTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAELVSOaLAQE+/0LdvYCbJD6J1lmW40uNSXyY7J
1qgiNzLIcWDusPHyxWT2ukdf/OYHeDIt9sqAIMn9cPhykyGIRaOCATowggE2MBIG
A1UdEwEB/wQIMAYBAf8CAQAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2cuc3lt
Y2IuY29tL0dlb1RydXN0UENBLUcyLmNybDAOBgNVHQ8BAf8EBAMCAQYwLgYIKwYB
BQUHAQEEIjAgMB4GCCsGAQUFBzABhhJodHRwOi8vZy5zeW1jZC5jb20wSQYDVR0g
BEIwQDA+BgZngQwBAgIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2VvdHJ1
c3QuY29tL3Jlc291cmNlcy9jcHMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMB0GA1UdDgQWBBTDxKRYBWPXgwa6lo3cso8y9ru3QTAfBgNVHSMEGDAWgBQV
XzVXUVX7JbKtA2n8AaP6vhFV1TAKBggqhkjOPQQDAwNnADBkAjBH2jMNybjCk3Ts
OidXxJX9YDPMd5S3KDCv8vyTdJGhtoly7fQJRNv5rnVz+6YGfsMCMEp6wyheL7NK
mqavsduix2R+j1B3wRjelzJYgXzgM3nwhQKKlJWxpF7IGHuva1taxg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = updates.cdn-apple.com, O = Apple Inc., ST = California, C = US

issuer=CN = Apple IST CA 8 - G1, OU = Certification Authority, O = Apple Inc., C = US

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2883 bytes and written 387 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
op06072 commented 2 years ago

If your issue got duped to this one: please mention your country, network type (home, corporate, educational, mobile), whether your Mac is running any MDM/device tracking type software, and then run the following command and paste the full output.

openssl s_client -showcerts -connect updates.cdn-apple.com:443 < /dev/null

Unclear if this is due to missing legitimate certs in our bundle, missing dubious certs in our bundle (e.g. country CAs which we don't ship), or people being blatantly MITMed by their network.

CONNECTED(00000006)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
verify return:1
depth=0 CN = updates.cdn-apple.com, O = Apple Inc., ST = California, C = US
verify return:1
---
Certificate chain
 0 s:CN = updates.cdn-apple.com, O = Apple Inc., ST = California, C = US
   i:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
-----BEGIN CERTIFICATE-----
MIIICDCCBvCgAwIBAgIQWHe/1nukG6m/X7o9jPAeRDANBgkqhkiG9w0BAQsFADBi
MRwwGgYDVQQDExNBcHBsZSBJU1QgQ0EgMiAtIEcxMSAwHgYDVQQLExdDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMC
VVMwHhcNMjExMTE3MDI0ODU2WhcNMjIxMjE3MDI0ODU1WjBXMR4wHAYDVQQDDBV1
cGRhdGVzLmNkbi1hcHBsZS5jb20xEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNV
BAgMCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAtfIvwR0yp5WRIqJuOlSOf1kD058lMxV84wamr2XBamj+2/Lx
pyf9k8tSSbSwizSx14ZLFr1PCXpszRYY3QlCZhZ65WviI1//A5kplQX2xGj0AGVL
D/uW0HIWqn8vfPb6hpBVfh6s4OFkxAdBKpnn7fuiiZ1iOnNaH+3nJLd6K78a9fcQ
ZzfTXeTSBpRQdH94f9d/h4kfV0geFZxZKDHe3mwop6E+B0pajOEAZe5JHL3sTwaC
/4NhPZbiN2lxWLvhX+jvvKKPDisvWtpkUuplFaHIq/hHon2s5p3KGUYbu+fBe5PU
/b2ukUru7seEM5MKIwyCVwFnOrZ1aRMsl3+iKwIDAQABo4IEwzCCBL8wDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBTYepREfJBwkBae3RecAUQDhtYqKTCBuQYIKwYB
BQUHAQEEgawwgakwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jZXJ0cy5hcHBsZS5jb20v
YXBwbGVpc3RjYTJnMV9iYy5jZXIwNAYIKwYBBQUHMAKGKGh0dHA6Ly9jZXJ0cy5h
cHBsZS5jb20vYXBwbGVpc3RjYTJnMS5kZXIwOAYIKwYBBQUHMAGGLGh0dHA6Ly9v
Y3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBwbGVpc3RjYTJnMTI3MCAGA1UdEQQZMBeC
FXVwZGF0ZXMuY2RuLWFwcGxlLmNvbTCCAQcGA1UdIASB/zCB/DAIBgZngQwBAgIw
ge8GCiqGSIb3Y2QFCwQwgeAwNwYIKwYBBQUHAgEWK2h0dHBzOi8vd3d3LmFwcGxl
LmNvbS9jZXJ0aWZpY2F0ZWF1dGhvcml0eS8wgaQGCCsGAQUFBwICMIGXDIGUUmVs
aWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBh
Y2NlcHRhbmNlIG9mIGFueSBhcHBsaWNhYmxlIHRlcm1zIGFuZCBjb25kaXRpb25z
IG9mIHVzZSBhbmQvb3IgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRz
LjATBgNVHSUEDDAKBggrBgEFBQcDATA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8v
Y3JsLmFwcGxlLmNvbS9hcHBsZWlzdGNhMmcxLmNybDAdBgNVHQ4EFgQUJncP5LXl
SRO18kBkDPOPpq3oQREwDgYDVR0PAQH/BAQDAgWgMCwGCiqGSIb3Y2QGMAEEHgwc
MS4yLjg0MC4xMTM2MzUuMTAwLjYuMjcuNDAuMjCCAfgGCisGAQQB1nkCBAIEggHo
BIIB5AHiAHcAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUAAAF9K9VD
BQAABAMASDBGAiEAjUJ1wY9WLvDMs7YkAJo3kxwWbh25wxBZH/NPcPSczS4CIQDx
x0Zw2d41QsMqj1QlPsa8pC7ACinIRLTf2WJJksbABQB2ACl5vvCeOTkh8FZzn2Ol
d+W+V32cYAr4+U1dJlwlXceEAAABfSvVQmUAAAQDAEcwRQIhAMS2YRn9dbmgG8+Z
e4ra7OUQwOfX6yp+GgfFaQ5m/n1kAiAVbijdwvIWFDBW2F0/Df8Ih8o//Oh14kKo
PHvEckVr2QB3AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfSvV
QqYAAAQDAEgwRgIhAP0ZRlDhW9o3wcheDnmbttnpwOUQD34dlFqfA3KFIv5yAiEA
r4RN+z/cjFWk+1ai/csbaRXf9sgSySmIGPTAevLqEYEAdgDfpV6raIJPH2yt7rhf
Tj5a6s2iEqRqXo47EsAgRFwqcwAAAX0r1ULUAAAEAwBHMEUCIQDsXihjpBVRrZd4
rBXb0Co435B5H0SlWjLNLo6Wn4gZrgIgfSlVsbVaBv5m5y56N+4biJeTXQow5CEp
RWnDfyztrYIwDQYJKoZIhvcNAQELBQADggEBAKxHkLCzRynwzJVWjcuamHvljp+d
SLKaKpYgc8xI3ktoXOG56On1XmSJY7zAy++RdG6t9y6H7VroF3EdfGSC8bqO69GN
WPFOs9Jw2OmM6cXuaZzozg2jIExrvDOZ4OMadqH1N7b5A/biyO15jPAbh3PIT56x
l0AZx76LPbfZ0bcSvHeTsvZLtwLpfh5Q46bxQFcTpV2yvwWYM8hSsLgRwAddh88A
jPIvCLyGewijgevR80lRXsk4oOKeqRYy8BPrKZfLp7dBb177938MMuuznsWekISL
HLOXg4ErZzhd2U371thzVlC25MVuyBe7FAtDWEb3BPAmvsHRHZ9NBGLgScw=
-----END CERTIFICATE-----
 1 s:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
   i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
-----BEGIN CERTIFICATE-----
MIIEnjCCA4agAwIBAgIQBVLH7/7sKSup8Th7B6+SnzANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE4
MTIxMjEyMDAwMFoXDTI1MDUwNzEyMDAwMFowYjEcMBoGA1UEAxMTQXBwbGUgSVNU
IENBIDIgLSBHMTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzAR
BgNVBAoTCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA0JOhHUdDIBayC2vrw9W06MeYzfPev+hN6eM2gAf8RRtq
fEWGrlbTpAl/YQ1rXX5Sa320yDnE9Gc694POGW+GL35FfkccZ1LKlQVd4jZRhcDU
Z4A1bxXdPv0d0v2PNFDY7HYqvuPT2uT9yOsoApYRlxdhHOnEWTtC3DLRCR3aptFD
hv9esryMz2bbAYsCrpRI8ziP/eoyqAjshpdRlCQ+SUmWU+h5oUCB6QW7k5VR/OP9
fBFL954IsxVJFQf50Tegm0sy9rXE3GrR/Art9uDFKaCoi3H+DZK8/lRwGAptx+0M
+8ktBsOMhfzLhlzWNo4Siwl/+xkaONXwlDB6D6aM8wIDAQABo4IBVjCCAVIwHQYD
VR0OBBYEFNh6lER8kHCQFp7dF5wBRAOG1iopMB8GA1UdIwQYMBaAFOWdWTCCR1jM
rPoIVDaGezq1BE3wMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA6BgNVHR8EMzAx
MC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vT21uaXJvb3QyMDI1LmNy
bDBbBgNVHSAEVDBSMAwGCiqGSIb3Y2QFCwQwCAYGZ4EMAQICMDgGCmCGSAGG/WwA
AgQwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAN
BgkqhkiG9w0BAQsFAAOCAQEAWgDobaZ4Dq8zSOdyWvCa+Tad60OIwE9qkz2o33KF
CcAM/CvxXrcXTTYo9VJHninE+G9SguIdukkDDAOHMT8WvsqomydMXknQJVbREOAX
KUKgS5q0/9ou9N1FjJvkhPGFzAbuLnSJtLomfJPxHW4h3l6bdliQodVQXd3xUbXR
qTKNUbF9bIh4601+KhyZL0u0B/eTppf/1O5S+qFAyRADr1lvfIeNHZv11iyf4u7e
uLBsXjyT3vPwxrihpAwB5pu/DhJWh4iv70Q7pcvAaRRfiJgMj3A0fFgvqvGbW9jm
t04+Cr/PjpWeMFt3KKj3DRh4jJKjJUGt+JxdGGJ4tCGyCw==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = updates.cdn-apple.com, O = Apple Inc., ST = California, C = US

issuer=CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3795 bytes and written 387 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
marcan commented 2 years ago

@op06072 Does the problem still happen for you?

op06072 commented 2 years ago

@op06072 Does the problem still happen for you?

Fortunately, it doesn't! I think that happened cause Apple updating the new OS and devices information for the new MacBook.

marcan commented 2 years ago

Looks like this was an issue with Apple screwing up their CDN, as @jannau said. Let's close this, we can reopen if it happens again.