Missing a lot of root certificates on windows-latest: X509

ebesic-bluefield commented 2 years ago

Description

The current windows-latest image is missing a large amount of root certificates. We have a signed certificate from Sectigo Limited with root CA being 'USERTrust RSA Certification Authority' and we are getting certificate errors in our pipeline due to the root authority being missing.

Platforms affected

[ ] Azure DevOps
[x] GitHub Actions

Runner images affected

[ ] Ubuntu 18.04
[ ] Ubuntu 20.04
[ ] Ubuntu 22.04
[ ] macOS 10.15
[ ] macOS 11
[ ] macOS 12
[X] Windows Server 2019
[X] Windows Server 2022

Image version and build link

Version: 20220925.1

Is it regression?

no

Expected behavior

If I run gci Cert:\CurrentUser\AuthRoot on my Windows 10, I get a list of 40+ entries (including USERTrust).

Actual behavior

If I run gci Cert:\CurrentUser\AuthRoot on windows-latest I only get a list of 16 entries.

Repro steps

Run gci Cert:\CurrentUser\AuthRoot on windows-latest See that it is missing

2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jerse...

al-cheb commented 2 years ago

Hey @ebesic-bluefield. We will take a look at it.

al-cheb commented 2 years ago

@ebesic-bluefield, this certificate presents on the windows images in the Cert:\LocalMachine\Root store:

ebesic-bluefield commented 2 years ago

Oh, i did not think to look for them in local machine. Hm... so that means it should be working. Probably an issue in our certificate chain then. We're going to have to doublecheck it. Thanks a lot for the quick help!

actions / runner-images