It is not possible to add certifiacte and key to macOS keychain in PKCS#12 if the certificate subject contains unicode characters. OpenSLL versions prior to 3.2 used to encode the subject line in bag attributes such that no unicode literals were used, but this has been changed. As a result the following workflow is possibly broken:
app-store-connect certificates get <certificate-id> --save
keychain initialize
keychain add-certifiactes
as the last command can fail with error
security: SecKeychainItemImport: Unknown format in import.
in case the certificate subject contains non-ascii characters.
To overcome that, update PKCS#12 container creation workflow not to rely on openssl directly when creating the encrypted container, and instead utilize the tools that are built in to cryptography library. Decryption (password removal from encrypted PKCS#12) is still dependent on openssl as the non-encrypted container created by cryptography uses SHA256 as HMAC, which macOS Keychain does not understand. As a last step, the optional subject line is removed from the non-encrypted container manually to ensure that no non-ascii characters are present (subject under certificate's bag attributes is a mere convenience attribute as the same information is encoded in the certificate body anyway).
It is not possible to add certifiacte and key to macOS keychain in PKCS#12 if the certificate subject contains unicode characters. OpenSLL versions prior to 3.2 used to encode the subject line in bag attributes such that no unicode literals were used, but this has been changed. As a result the following workflow is possibly broken:
as the last command can fail with error
in case the certificate subject contains non-ascii characters.
To overcome that, update PKCS#12 container creation workflow not to rely on
openssl
directly when creating the encrypted container, and instead utilize the tools that are built in tocryptography
library. Decryption (password removal from encrypted PKCS#12) is still dependent onopenssl
as the non-encrypted container created bycryptography
usesSHA256
as HMAC, which macOS Keychain does not understand. As a last step, the optional subject line is removed from the non-encrypted container manually to ensure that no non-ascii characters are present (subject under certificate's bag attributes is a mere convenience attribute as the same information is encoded in the certificate body anyway).Updated actions
app-store-connect certificates get
app-store-connect certificates list
app-store-connect fetch-signing-files