[BUG]: InstallAppleCertificate@2 not working since macos-14 20241106.300

[reinhardlackner]

New issue checklist

• [x] I searched for existing GitHub issues
• [x] I read pipeline troubleshooting guide
• [x] I checked how to collect logs

Task name

InstallAppleCertificate@2

Task version

2

Issue Description

• task: InstallAppleCertificate@2 displayName: 'Install Apple Certificate' inputs: certSecureFile: $(certSigningAppleCertName) certPwd: '$(certSigningAppleCertPassword)' keychain: 'temp'

When the Microsoft Hosted Agent is running with Image MacOS-latest (or macOs-14), one of the following images are used:

• Image: macos-14, Version: 20241106.300 (NOT WORKING)
• Image: macos-14, Version: 20241022.254 (LAST WORKING VERSION)

If the newest version: 20241106.300 is used, it is no longer possible to install an Apple Certificate in temp keychain. Exporting a new p12 certificate file in MacOS and adding to DevOps Library did not help => seems to be an issue in the task for the new image version (and not with an old encryption of the certificate).

Error Message: "Error outputting keys and certificates 804FD158F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()"

Environment type (Please select at least one enviroment where you face this issue)

• [ ] Self-Hosted
• [x] Microsoft Hosted
• [ ] VMSS Pool
• [ ] Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

MacOS

Relevant log output

* DIFFERENCE ***

Version: 20241106.300 (NOT WORKING)

2024-11-07T17:33:20.5104470Z [command]/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/MyCertificate.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space 2024-11-07T17:33:20.5305620Z Error outputting keys and certificates 2024-11-07T17:33:20.5321410Z 804FD158F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

20241022.254 (LAST WORKING VERSION - sample of other build)

2024-11-07T17:32:01.0213600Z [command]/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/MyCertificate.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space 2024-11-07T17:32:01.0961830Z ##[debug]success of first tool:true

** LOG Initialize job **

2024-11-07T17:33:16.0718640Z ##[section]Starting: Initialize job 2024-11-07T17:33:16.0720850Z Agent name: 'Hosted Agent' 2024-11-07T17:33:16.0721290Z Agent machine name: 'Mac-1730999632554' 2024-11-07T17:33:16.0721520Z Current agent version: '3.246.0' 2024-11-07T17:33:16.0753870Z ##[group]Operating System 2024-11-07T17:33:16.0754110Z macOS 2024-11-07T17:33:16.0754240Z 14.7.1 2024-11-07T17:33:16.0754360Z 23H222 2024-11-07T17:33:16.0754490Z ##[endgroup] 2024-11-07T17:33:16.0754660Z ##[group]Runner Image 2024-11-07T17:33:16.0754820Z Image: macos-14 2024-11-07T17:33:16.0754980Z Version: 20241106.300 2024-11-07T17:33:16.0755280Z Included Software: https://github.com/actions/runner-images/blob/macos-14/20241106.300/images/macos/macos-14-Readme.md 2024-11-07T17:33:16.0755660Z Image Release: https://github.com/actions/runner-images/releases/tag/macos-14%2F20241106.300 2024-11-07T17:33:16.0756010Z ##[endgroup] 2024-11-07T17:33:16.0756190Z ##[group]Runner Image Provisioner 2024-11-07T17:33:16.0756420Z 2.0.384.1+6d6c56aa16f1b9c7dd7935df5d63980397e44def 2024-11-07T17:33:16.0756620Z ##[endgroup] 2024-11-07T17:33:16.0760300Z Current image version: '20241106.300' 2024-11-07T17:33:16.1639110Z Agent running as: 'runner' 2024-11-07T17:33:16.1674010Z ##[debug]Triggering repository: TestMobile. repository type: Git 2024-11-07T17:33:16.1678150Z Prepare build directory. 2024-11-07T17:33:16.1870160Z ##[debug]Creating build directory: '/Users/runner/work/1' 2024-11-07T17:33:16.1875480Z ##[debug]Delete existing artifacts directory: '/Users/runner/work/1/a' 2024-11-07T17:33:16.1877910Z ##[debug]Creating artifacts directory: '/Users/runner/work/1/a' 2024-11-07T17:33:16.1880040Z ##[debug]Delete existing test results directory: '/Users/runner/work/1/TestResults' 2024-11-07T17:33:16.1880730Z ##[debug]Creating test results directory: '/Users/runner/work/1/TestResults' 2024-11-07T17:33:16.1882600Z ##[debug]Creating binaries directory: '/Users/runner/work/1/b' 2024-11-07T17:33:16.1884410Z ##[debug]Creating source directory: '/Users/runner/work/1/s' 2024-11-07T17:33:16.1946320Z Set build variables. 2024-11-07T17:33:16.1977480Z Download all required tasks. 2024-11-07T17:33:16.2124170Z Downloading task: InstallAppleCertificate (2.246.5) 2024-11-07T17:33:18.0108820Z ##[debug]Task 'InstallAppleCertificate' has been downloaded into '/Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5'. 2024-11-07T17:33:18.0766820Z Checking job knob settings. 2024-11-07T17:33:18.0769710Z Knob: DockerActionRetries = true Source: $(VSTSAGENT_DOCKER_ACTION_RETRIES) 2024-11-07T17:33:18.0770170Z Knob: AgentToolsDirectory = /Users/runner/hostedtoolcache Source: ${AGENT_TOOLSDIRECTORY} 2024-11-07T17:33:18.0771580Z Knob: UseGitLongPaths = true Source: $(USE_GIT_LONG_PATHS) 2024-11-07T17:33:18.0773530Z Knob: EnableIssueSourceValidation = true Source: $(ENABLE_ISSUE_SOURCE_VALIDATION) 2024-11-07T17:33:18.0774360Z Knob: AgentEnablePipelineArtifactLargeChunkSize = true Source: $(AGENT_ENABLE_PIPELINEARTIFACT_LARGE_CHUNK_SIZE) 2024-11-07T17:33:18.0776710Z Knob: ContinueAfterCancelProcessTreeKillAttempt = true Source: $(VSTSAGENT_CONTINUE_AFTER_CANCEL_PROCESSTREEKILL_ATTEMPT) 2024-11-07T17:33:18.0777500Z Knob: ProcessHandlerSecureArguments = false Source: $(AZP_75787_ENABLE_NEW_LOGIC) 2024-11-07T17:33:18.0778040Z Knob: ProcessHandlerSecureArguments = false Source: $(AZP_75787_ENABLE_NEW_LOGIC_LOG) 2024-11-07T17:33:18.0778560Z Knob: ProcessHandlerTelemetry = true Source: $(AZP_75787_ENABLE_COLLECT) 2024-11-07T17:33:18.0779140Z Knob: UseNewNodeHandlerTelemetry = True Source: $(DistributedTask.Agent.USENEWNODEHANDLERTELEMETRY) 2024-11-07T17:33:18.0780630Z Knob: ProcessHandlerEnableNewLogic = true Source: $(AZP_75787_ENABLE_NEW_PH_LOGIC) 2024-11-07T17:33:18.0781460Z Knob: EnableResourceMonitorDebugOutput = true Source: $(AZP_ENABLE_RESOURCE_MONITOR_DEBUG_OUTPUT) 2024-11-07T17:33:18.0782060Z Knob: EnableResourceUtilizationWarnings = true Source: $(AZP_ENABLE_RESOURCE_UTILIZATION_WARNINGS) 2024-11-07T17:33:18.0782850Z Knob: IgnoreVSTSTaskLib = true Source: $(AZP_AGENT_IGNORE_VSTSTASKLIB) 2024-11-07T17:33:18.0783700Z Knob: FailJobWhenAgentDies = true Source: $(FAIL_JOB_WHEN_AGENT_DIES) 2024-11-07T17:33:18.0784370Z Knob: CheckForTaskDeprecation = true Source: $(AZP_AGENT_CHECK_FOR_TASK_DEPRECATION) 2024-11-07T17:33:18.0785140Z Knob: CheckIfTaskNodeRunnerIsDeprecated246 = True Source: $(DistributedTask.Agent.CheckIfTaskNodeRunnerIsDeprecated246) 2024-11-07T17:33:18.0785900Z Knob: UseNode20ToStartContainer = True Source: $(DistributedTask.Agent.UseNode20ToStartContainer) 2024-11-07T17:33:18.0786580Z Knob: LogTaskNameInUserAgent = true Source: $(AZP_AGENT_LOG_TASKNAME_IN_USERAGENT) 2024-11-07T17:33:18.0787140Z Knob: UseFetchFilterInCheckoutTask = true Source: $(AGENT_USE_FETCH_FILTER_IN_CHECKOUT_TASK) 2024-11-07T17:33:18.0787780Z Knob: Rosetta2Warning = true Source: $(ROSETTA2_WARNING) 2024-11-07T17:33:18.0788970Z Knob: AddForceCredentialsToGitCheckout = True Source: $(DistributedTask.Agent.AddForceCredentialsToGitCheckout) 2024-11-07T17:33:18.0789510Z Finished checking job knob settings. 2024-11-07T17:33:18.1313630Z ##[debug]Log plugin 'TestResultLogPlugin' is disabled. 2024-11-07T17:33:18.1314270Z ##[debug]Log plugin 'TestFilePublisherPlugin' is disabled. 2024-11-07T17:33:18.1315000Z Start tracking orphan processes. 2024-11-07T17:33:18.1422890Z ##[section]Finishing: Initialize job

Full task logs with system.debug enabled

2024-11-07T17:33:18.2055190Z ##[debug]Evaluating condition for step: 'Install Apple Certificate' 2024-11-07T17:33:18.2102670Z ##[debug]Evaluating: SucceededNode() 2024-11-07T17:33:18.2109050Z ##[debug]Evaluating SucceededNode: 2024-11-07T17:33:18.2147150Z ##[debug]=> True 2024-11-07T17:33:18.2156520Z ##[debug]Result: True 2024-11-07T17:33:18.2224630Z ##[section]Starting: Install Apple Certificate 2024-11-07T17:33:18.2410730Z ============================================================================== 2024-11-07T17:33:18.2411350Z Task : Install Apple certificate 2024-11-07T17:33:18.2411750Z Description : Install an Apple certificate required to build on a macOS agent machine 2024-11-07T17:33:18.2411990Z Version : 2.246.5 2024-11-07T17:33:18.2412340Z Author : Microsoft Corporation 2024-11-07T17:33:18.2412730Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/install-apple-certificate 2024-11-07T17:33:18.2412980Z ============================================================================== 2024-11-07T17:33:18.3539480Z ##[debug]Using node path: /Users/runner/runners/3.246.0/externals/node20_1/bin/node 2024-11-07T17:33:18.7952440Z ##[debug]system.debug=True 2024-11-07T17:33:18.8447410Z ##[debug]DistributedTask.Tasks.Node.SkipDebugLogsWhenDebugModeOff=True 2024-11-07T17:33:18.8516860Z ##[debug]agent.TempDirectory=/Users/runner/work/_temp 2024-11-07T17:33:18.8552470Z ##[debug]loading inputs and endpoints 2024-11-07T17:33:18.8610280Z ##[debug]loading INPUT_CERTSECUREFILE 2024-11-07T17:33:18.8646350Z ##[debug]loading INPUT_CERTPWD 2024-11-07T17:33:18.8755520Z ##[debug]loading INPUT_KEYCHAIN 2024-11-07T17:33:18.8769100Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION 2024-11-07T17:33:18.8782000Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION 2024-11-07T17:33:18.8795860Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN 2024-11-07T17:33:18.8821210Z ##[debug]loading SECUREFILE_TICKET_70c6b661-280a-461e-acb7-70bfb66d643e 2024-11-07T17:33:18.8838090Z ##[debug]loading SECRET_CERTSIGNINGANDROIDPASSWORD 2024-11-07T17:33:18.8851190Z ##[debug]loading SECRET_PUBLISHFTPPASSWORD 2024-11-07T17:33:18.8884300Z ##[debug]loading SECRET_CERTSIGNINGUWPPASSWORD 2024-11-07T17:33:18.8901470Z ##[debug]loading SECRET_SYSTEM_ACCESSTOKEN 2024-11-07T17:33:18.8910100Z ##[debug]loading SECRET_STOREAPPLEAPIKEYID 2024-11-07T17:33:18.8930160Z ##[debug]loading SECRET_STOREAPPLEAPIISSUERID 2024-11-07T17:33:18.8933480Z ##[debug]loading SECRET_PUBLISHPRIVATEFTPPASSWORD 2024-11-07T17:33:18.8949820Z ##[debug]loading SECRET_ADMINSQLCONNECTIONSTRING 2024-11-07T17:33:18.8959200Z ##[debug]loading SECRET_DEVWEBSERVERPASSWORD 2024-11-07T17:33:18.8986500Z ##[debug]loading SECRET_CERTSIGNINGAPPLECERTPASSWORD 2024-11-07T17:33:18.9035610Z ##[debug]loading SECRET_STOREAPPLEAPIKEYCONTENTBASE64 2024-11-07T17:33:18.9065160Z ##[debug]loaded 18 2024-11-07T17:33:18.9084410Z ##[debug]Agent.ProxyUrl=undefined 2024-11-07T17:33:18.9089290Z ##[debug]Agent.CAInfo=undefined 2024-11-07T17:33:18.9098520Z ##[debug]Agent.ClientCert=undefined 2024-11-07T17:33:18.9111890Z ##[debug]Agent.SkipCertValidation=undefined 2024-11-07T17:33:18.9137250Z ##[debug]check path : /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5/node_modules/azure-pipelines-tasks-ios-signing-common/module.json 2024-11-07T17:33:18.9159330Z ##[debug]adding resource file: /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5/node_modules/azure-pipelines-tasks-ios-signing-common/module.json 2024-11-07T17:33:18.9217320Z ##[debug]system.culture=en-US 2024-11-07T17:33:18.9229160Z ##[debug]check path : /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5/task.json 2024-11-07T17:33:18.9261850Z ##[debug]adding resource file: /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5/task.json 2024-11-07T17:33:18.9296140Z ##[debug]system.culture=en-US 2024-11-07T17:33:18.9315090Z ##[debug]certSecureFile=70c6b661-280a-461e-acb7-70bfb66d643e 2024-11-07T17:33:18.9325170Z ##[debug]opensslPkcsArgs=undefined 2024-11-07T17:33:18.9344510Z ##[debug]System.TeamFoundationCollectionUri=https://xxxxxxxx.visualstudio.com/ 2024-11-07T17:33:18.9366540Z ##[debug]SYSTEMVSSCONNECTION auth param ACCESSTOKEN = 2024-11-07T17:33:18.9385940Z ##[debug]Secure file retry count set to: 8 2024-11-07T17:33:18.9393450Z ##[debug]Agent.ProxyUrl=undefined 2024-11-07T17:33:18.9397800Z ##[debug]secure file name for id 70c6b661-280a-461e-acb7-70bfb66d643e = MyCertificate.p12 2024-11-07T17:33:18.9617180Z ##[debug]Agent.TempDirectory=/Users/runner/work/_temp 2024-11-07T17:33:18.9629720Z ##[debug]Absolute path for pathSegments: /Users/runner/work/_temp,MyCertificate.p12 = /Users/runner/work/_temp/MyCertificate.p12 2024-11-07T17:33:18.9637050Z ##[debug]Downloading secure file contents to: /Users/runner/work/_temp/MyCertificate.p12 2024-11-07T17:33:20.2117510Z ##[debug]secure file ticket for id 70c6b661-280a-461e-acb7-70bfb66d643e = 2024-11-07T17:33:20.2120430Z ##[debug]SYSTEM.TEAMPROJECT=MobileApp 2024-11-07T17:33:20.4963640Z ##[debug]Downloaded secure file contents to: /Users/runner/work/_temp/MyCertificate.p12 2024-11-07T17:33:20.4964930Z ##[debug]certPwd= 2024-11-07T17:33:20.4966090Z ##[debug]which 'openssl' 2024-11-07T17:33:20.4989780Z ##[debug]found: '/usr/local/bin/openssl' 2024-11-07T17:33:20.4990590Z ##[debug]which '/usr/local/bin/openssl' 2024-11-07T17:33:20.4991270Z ##[debug]found: '/usr/local/bin/openssl' 2024-11-07T17:33:20.4992740Z ##[debug]/usr/local/bin/openssl arg: ["pkcs12","-in","/Users/runner/work/_temp/MyCertificate.p12","-nokeys","-passin","pass:"] 2024-11-07T17:33:20.4993560Z ##[debug]which '/usr/local/bin/openssl' 2024-11-07T17:33:20.4994150Z ##[debug]found: '/usr/local/bin/openssl' 2024-11-07T17:33:20.4995280Z ##[debug]/usr/local/bin/openssl arg: ["x509","-sha1","-noout","-fingerprint","-subject","-dates","-nameopt","utf8,sep_semi_plus_space"] 2024-11-07T17:33:20.4996030Z ##[debug]exec tool: /usr/local/bin/openssl 2024-11-07T17:33:20.4997000Z ##[debug]arguments: 2024-11-07T17:33:20.4998360Z ##[debug] pkcs12 2024-11-07T17:33:20.4999030Z ##[debug] -in 2024-11-07T17:33:20.5000020Z ##[debug] /Users/runner/work/_temp/MyCertificate.p12 2024-11-07T17:33:20.5000650Z ##[debug] -nokeys 2024-11-07T17:33:20.5001180Z ##[debug] -passin 2024-11-07T17:33:20.5001850Z ##[debug] pass: 2024-11-07T17:33:20.5104470Z [command]/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/MyCertificate.p12 -nokeys -passin pass: | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space 2024-11-07T17:33:20.5305620Z Error outputting keys and certificates 2024-11-07T17:33:20.5321410Z 804FD158F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () 2024-11-07T17:33:20.5323650Z ##[debug]success of first tool:false 2024-11-07T17:33:20.5401400Z Could not find certificate from 2024-11-07T17:33:20.5417530Z ##[debug]rc:1 2024-11-07T17:33:20.5419400Z ##[debug]success:false 2024-11-07T17:33:20.5460520Z ##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input. 2024-11-07T17:33:20.5466550Z ##[debug]Processed: ##vso[task.issue type=warning;source=TaskInternal;correlationId=337d276c-a97a-44e8-8a24-d98fc8128eef;]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input. 2024-11-07T17:33:20.5467970Z ##[debug]task result: Failed 2024-11-07T17:33:20.5469090Z ##[error]Error: /usr/local/bin/openssl failed with return code: 1 2024-11-07T17:33:20.5469780Z ##[debug]Processed: ##vso[task.issue type=error;source=TaskInternal;correlationId=337d276c-a97a-44e8-8a24-d98fc8128eef;]Error: /usr/local/bin/openssl failed with return code: 1 2024-11-07T17:33:20.5477640Z ##[debug]Processed: ##vso[task.complete result=Failed;]Error: /usr/local/bin/openssl failed with return code: 1 2024-11-07T17:33:20.5478570Z ##[debug]secure file name for id 70c6b661-280a-461e-acb7-70bfb66d643e = MyCertificate.p12 2024-11-07T17:33:20.5503890Z ##[debug]Agent.TempDirectory=/Users/runner/work/_temp 2024-11-07T17:33:20.5505010Z ##[debug]Absolute path for pathSegments: /Users/runner/work/_temp,MyCertificate.p12 = /Users/runner/work/_temp/MyCertificate.p12 2024-11-07T17:33:20.5507830Z ##[debug]Deleting secure file at: /Users/runner/work/_temp/MyCertificate.p12 2024-11-07T17:33:20.5508600Z ##[debug]rm -rf /Users/runner/work/_temp/MyCertificate.p12 2024-11-07T17:33:20.5509240Z ##[debug]removing file 2024-11-07T17:33:20.5555280Z ##[section]Finishing: Install Apple Certificate

Repro steps

• job: iOS pool: vmImage: 'macos-14'

  steps:

  • task: InstallAppleCertificate@2 displayName: 'Install Apple Certificate' inputs: certSecureFile: 'MyCertificate.p12' certPwd: '$(certSigningAppleCertPassword)' keychain: 'temp'

[zachdean]

@reinhardlackner this issue was because they updated the runner images to use openssl 3 by default (https://github.com/actions/runner-images/issues/10817). Unfortunately, it looks like the hosted runners are now currently in in a mixed batch of openssl 3 and openssl1.1. I wrote a script to get around the issue until it is resolved and the task is updated.

  - task: DownloadSecureFile@1
    displayName: 'Download Apple Distribution Certificates'
    name: appleCertificate
    inputs:
        secureFile: 'AppleDistributionCertificates.p12'

  - script: |
        echo "Installing Apple Distribution Certificates"
        echo $(appleCertificate.secureFilePath)
        $(Build.Repository.LocalPath)/.pipelines/ios/install-signing-certificate \
            $(appleCertificate.secureFilePath) \
            "$certificatePassword" \
    displayName: 'Install Apple Distribution Certificates'
    env:
        certificatePassword: $(IosSigningCertificatePassword)

$(Build.Repository.LocalPath)/.pipelines/ios/install-signing-certificate

#!/usr/bin/env bash

install_certificate()
{
    local certificate_path="${1}"
    local password="${2}"
    local legacy=''
    local openssl_version=''
    local major_version=''
    local common_name=''
    local subject=''

    # Check OpenSSL version
    openssl_version=$(/usr/local/bin/openssl version | awk '{print $2}')
    major_version=$(echo "$openssl_version" | cut -d. -f1)
    echo "OpenSSL version: $openssl_version"
    echo "OpenSSL major version: $major_version"
    if [[ "$major_version" -gt 1 ]]; then
        legacy='-legacy'
    fi

    /usr/local/bin/openssl pkcs12 $legacy -in "$certificate_path" -nokeys -passin pass:"$password" | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space

    subject=$(/usr/local/bin/openssl pkcs12 $legacy -in "$certificate_path" -nokeys -passin pass:"$password" | /usr/local/bin/openssl x509 -noout -subject -nameopt utf8,sep_semi_plus_space)
    echo "Subject: $subject"

    common_name=$(echo "$subject" | awk -F'CN=' '{print $2}' | awk -F'[;]' '{print $1}')

    echo "Common Name: $common_name"

    /usr/bin/security create-keychain -p "$password" /Users/runner/work/_temp/ios_signing_temp.keychain

    /usr/bin/security set-keychain-settings -lut 21600 /Users/runner/work/_temp/ios_signing_temp.keychain

    /usr/bin/security unlock-keychain -p "$password" /Users/runner/work/_temp/ios_signing_temp.keychain

    /usr/bin/security import "$certificate_path" -P "$password" -A -t cert -f pkcs12 -k /Users/runner/work/_temp/ios_signing_temp.keychain

    /usr/bin/security list-keychain -d user

    /usr/bin/security list-keychain -d user -s /Users/runner/work/_temp/ios_signing_temp.keychain /Users/runner/Library/Keychains/login.keychain-db

    /usr/bin/security list-keychain -d user

    ## Set the certificate name to be used later in the build
    echo "setting APPLE_CERTIFICATE_SIGNING_IDENTITY to '$common_name'"
    echo "##vso[task.setvariable variable=APPLE_CERTIFICATE_SIGNING_IDENTITY]$common_name"
}

install_certificate "$@"

[Liabaemt]

October 2024 -New Relic General Data Privacy Notice.pdf gitgitgadget-main.zip progit.pdf DuckDuckGo.pdf.pdf

github-recovery-codes.txt October 2024 -New Relic General Data Privacy Notice.pdf [wp254_rev_01_art29_wp_adequacy_referential_7393A136-AFD6-4CF7-735B8E950478E2BB_5.docx](https://github.com/user-attachments/files/17673478/wp254_rev_01_art29_wp_adequacy_referential_7393A136-AFD6-4CF7-735B8E950478E2BB_5.docx) [Associated Press Stylebook.docx](https://github.com/user-attachments/files/17673476/Associated.Press.Stylebook.docx) [CP575Notice_1730318361374.docx](https://github.com/user-attachments/files/17673477/CP575Notice_1730318361374.docx)

[akhilvswoodplc]

Any workaround for this issue

[ivanduplenskikh]

@zachdean @akhilvswoodplc, thank you for bringing this issue to our attention. We are currently addressing it and aim to have it resolved as quickly as possible.

[holomouse]

A possible workaround would be to add -legacy flag to the openssl command, however the flag is not properly passed to the command, a related bug https://github.com/microsoft/azure-pipelines-tasks/issues/19383

[andriikut]

A possible workaround would be to add -legacy flag to the openssl command, however the flag is not properly passed to the command, a related bug #19383

I can confirm

     - task: InstallAppleCertificate@2
        displayName: 'Install an Apple certificate'
        inputs:
          certSecureFile: '${{ parameters.iosCertificate }}'
          certPwd: '${{ parameters.iosCertificatePassword }}'
          opensslPkcsArgs: '-legacy'

Output

[debug]/usr/local/bin/openssl arg: ["x509","-sha1","-noout","-fingerprint","-subject","-dates","-nameopt","utf8,sep_semi_plus_space"]

[debug]exec tool: /usr/local/bin/openssl

[debug]arguments:

[debug] pkcs12

[debug] -in

[debug] /Users/runner/work/_temp/iOS-Distribution.p12

[debug] -nokeys

[debug] -passin

[debug] pass:***

[debug] -legacy

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/iOS-Distribution.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space pkcs12: Unrecognized flag legacy pkcs12: Use -help for summary.

[debug]success of first tool:false

unable to load certificate 140704366591488:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

[debug]rc:1

[debug]success:false

[andriikut]

Build is currently running, looks like I was able to import cert with tasks below.

      - task: DownloadSecureFile@1
        displayName: 'Download an Apple certificate'
        inputs:
          secureFile: '${{ parameters.iosCertificate }}'

      - script: |
          openssl pkcs12 -in $(Agent.TempDirectory)/${{ parameters.iosCertificate }} -out cert.pem -nokeys -passin pass:${{ parameters.iosCertificatePassword }}
          security import cert.pem -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign
        displayName: 'Install Apple Certificate via OpenSSL'

[debug]failOnStderr=false

[debug]script=openssl pkcs12 -in /Users/runner/work/_temp/iOS-Distribution.p12 -out cert.pem -nokeys -passin pass:***

security import cert.pem -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign 1 certificate imported.

[debug]Exit code 0 received from tool '/bin/bash'

[debug]STDIO streams have closed for tool '/bin/bash'

##[debug]task result: Succeeded

[OliverBrown-Next]

@zachdean Thank you for that script, that is working for me.

[holomouse]

Build is currently running, looks like I was able to import cert with tasks below.

      - task: DownloadSecureFile@1
        displayName: 'Download an Apple certificate'
        inputs:
          secureFile: '${{ parameters.iosCertificate }}'

      - script: |
          openssl pkcs12 -in $(Agent.TempDirectory)/${{ parameters.iosCertificate }} -out cert.pem -nokeys -passin pass:${{ parameters.iosCertificatePassword }}
          security import cert.pem -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign
        displayName: 'Install Apple Certificate via OpenSSL'

[debug]failOnStderr=false ##[debug]script=openssl pkcs12 -in /Users/runner/work/_temp/iOS-Distribution.p12 -out cert.pem -nokeys -passin pass:* security import cert.pem -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign 1 certificate imported. ##[debug]Exit code 0 received from tool '/bin/bash' ##[debug]STDIO streams have closed for tool '/bin/bash' ##[debug]task result: Succeeded**

This doesn't work for me on the 20241106.300 image :(