search

microsoft / azure-pipelines-tasks

Tasks for Azure Pipelines
https://aka.ms/tfbuild
MIT License
3.42k stars 2.58k forks source link

[BUG]: InstallAppleCertificate STILL fails to install certificates #19607

Open AlphaNERD- opened 4 months ago

AlphaNERD- commented 4 months ago

New issue checklist

Task name

InstallAppleCertificate@2

Task version

2.231.1

Issue Description

Hello Azure DevOps devs,

i've begun to rebuild my CD pipeline as part of an ongoing migration of my iOS app to .NET 8. Currently my pipeline keeps failing at the InstallAppleCertificate task.

I've made sure that the certificate and provisioning profile are up-to-date and i've looked up the issue on GitHub. People have suggested to pass the flag -legacy to the task whenever the issue was reported, however the -legacy flag is not recognized by openssl. The latest Github Issue ended with a user still facing this issue, however the issue was closed solely because the -legacy flag was passed on to openssl. (https://github.com/microsoft/azure-pipelines-tasks/issues/19436). The user still couldn't install the certificate.

Another issue (https://github.com/microsoft/azure-pipelines-tasks/issues/19383) was closed because the user regenerated their certificate and yet another issue (https://github.com/microsoft/azure-pipelines-tasks/issues/18560) was closed because of... i don't know, because nobody reported it as fixed or as going stale or whatever. Someone suggested that the OpenSSL version was outdated, however i don't know how to update it or whether i can update it on hosted images. I tried out Microsoft's images macos-11, macos-12 and macos-13 too.

Environment type (Please select at least one enviroment where you face this issue)

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

macos-13

Relevant log output

Starting: Install Certificate
==============================================================================
Task         : Install Apple certificate
Description  : Install an Apple certificate required to build on a macOS agent machine
Version      : 2.231.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/install-apple-certificate
==============================================================================
/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/ios_distribution.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
unable to load certificate
4657255936:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: Install Certificate

Full task logs with system.debug enabled

 [REPLACE THIS WITH YOUR INFORMATION]

Repro steps

- task: InstallAppleCertificate@2
  displayName: 'Install Certificate'
  inputs:
    certSecureFile: 'ios_distribution.p12'
    certPwd: '$(Passwort)'
    keychain: 'temp'
    deleteCert: true
kirill-ivlev commented 4 months ago

@AlphaNERD- thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one soon.

AlphaNERD- commented 1 month ago

Uuuh... devs... When is "soon" happening? The build is still failing more than 60 days later.

Vandersteen commented 1 month ago

For me the issue was that I exported only they key and not the key and certificate (using keychain access) Make sure you select both before you export

AlphaNERD- commented 1 month ago

Just to be sure, how do you do it? And how do you use them in the YAML pipeline?

Vandersteen commented 1 month ago

In keychain access, select both the key & cert then right click to export to .p12

AlphaNERD- commented 1 month ago

Unfortunately that didn't help. I sure wonder when Microsoft will help... Or whether DevOps is getting the Visual Studio App Center treatment.

matt-goldman commented 2 weeks ago

I kind of found a workaround for this. I say "kind of" because I don't recommend anyone does this. But essentially I just downloaded and installed the certificate myself:

 - task: DownloadSecureFile@1
    name: downloadDevCert
    displayName: 'Download Apple Certificate'
    inputs:
      secureFile: 'yourcertificate.p12'

  - bash: |
      echo "Received secret: $CERT_PASSWORD"
      security import $(downloadDevCert.secureFilePath) -k ~/Library/Keychains/login.keychain -P yourp4ww0rdw!ch!sn0l0ng3r53cur3
    env:
      CERT_PASSWORD: $(P12password)
    displayName: 'Install signing certificate'

The reason I don't recommend anyone does this is because the secrets don't work. The output just shows:

Received secret: $(P12password)

Instead of what I expect to see which is:

Received secret: ****

Which is why I've put the secret directly in the command and why I say it's no longer secure. But at least this got me over this specific bump.

I've tried this a few different ways (and followed the docs) but if someone can explain to me what I'm doing wrong, and perhaps make this a viable (and secure) workaround for others, then that would be appreciated.