Fix exporting code signing certificates with OpenSSL 3.2.+

[priitlatt]

It is not possible to add certifiacte and key to macOS keychain in PKCS#12 if the certificate subject contains unicode characters. OpenSLL versions prior to 3.2 used to encode the subject line in bag attributes such that no unicode literals were used, but this has been changed. As a result the following workflow is possibly broken:

app-store-connect certificates get <certificate-id> --save
keychain initialize
keychain add-certifiactes

as the last command can fail with error

security: SecKeychainItemImport: Unknown format in import.

in case the certificate subject contains non-ascii characters.

To overcome that, update PKCS#12 container creation workflow not to rely on openssl directly when creating the encrypted container, and instead utilize the tools that are built in to cryptography library. Decryption (password removal from encrypted PKCS#12) is still dependent on openssl as the non-encrypted container created by cryptography uses SHA256 as HMAC, which macOS Keychain does not understand. As a last step, the optional subject line is removed from the non-encrypted container manually to ensure that no non-ascii characters are present (subject under certificate's bag attributes is a mere convenience attribute as the same information is encoded in the certificate body anyway).

Updated actions

• app-store-connect certificates get
• app-store-connect certificates list
• app-store-connect fetch-signing-files

[priitlatt]

Tested on Codemagic stack:

• [x] Apple silicon Mac mini / Xcode 15.0
• [x] Apple silicon Mac mini / Xcode 15.1
• [x] Apple silicon Mac mini / Xcode 15.2
• [x] Apple silicon Mac mini / Xcode 15.3
• [x] Apple silicon Mac mini / Xcode 15.4
• [x] Apple silicon Mac mini / Xcode 16.0
• [x] Intel Mac mini / Xcode 14.2
• [x] Intel Mac mini / Xcode 14.1
• [x] Intel Mac mini / Xcode 13.2
• [x] Intel Mac mini / Xcode 12.5