azure-pipelines-tasks: [BUG]: InstallAppleCertificateV2 fails if it tries to use OpenSSL@3 from Homebrew

Task name

InstallAppleCertificateV2

Task version

2

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

macOS 12

Task log

2023-06-27T13:12:07.8404820Z ##[section]Starting: InstallAppleCertificate
2023-06-27T13:12:07.8724910Z ==============================================================================
2023-06-27T13:12:07.8736780Z Task         : Install Apple certificate
2023-06-27T13:12:07.8739300Z Description  : Install an Apple certificate required to build on a macOS agent machine
2023-06-27T13:12:07.8740020Z Version      : 2.220.0
2023-06-27T13:12:07.8741550Z Author       : Microsoft Corporation
2023-06-27T13:12:07.8744160Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/install-apple-certificate
2023-06-27T13:12:07.8745090Z ==============================================================================
2023-06-27T13:12:10.2759800Z [command]/usr/local/bin/openssl pkcs12 -in /Users/admin/VSTS/_work/_temp/Certificates.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
2023-06-27T13:12:10.6693620Z Error outputting keys and certificates
2023-06-27T13:12:10.6697500Z 0056960402000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2023-06-27T13:12:10.6793430Z Could not read certificate from <stdin>
2023-06-27T13:12:10.6906760Z ##[error]Error: /usr/local/bin/openssl failed with return code: 1
2023-06-27T13:12:10.7356810Z ##[section]Finishing: InstallAppleCertificate

Relevant log output

2023-06-27T13:12:10.6697500Z 0056960402000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Aditional info

When the self-hosted build agent has Openssl@3 installed on it (in our case we believe this was installed as a dependency for azure-cli via homebrew, ironically) the InstallAppleCertificate Task attempts to open openssl from the path at /usr/local/bin instead of the system openssl binary at /usr/bin

At the moment it's unclear whether this is a bug we should be raising against OpenSSL, or is a case that Openssl@3 requires different CLI args to work with the .p12 file being given to it.

It would be nice if we could explicitly set the path to find the openssl binary to use in this task instead of relying on determining openssl binary location from the $PATH environment.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 10
  • Comments: 42 (4 by maintainers)

Most upvoted comments

steps:
  - task: InstallAppleCertificate@2
    name: AppleCertificate
    displayName: Install an Apple certificate
    inputs:
      certSecureFile: "$(ios_apple_certificate)"
      certPwd: "$(ios_apple_certificate_password)"
      keychain: "temp"
      **opensslPkcsArgs: '-legacy'**

Well, finally was able to fix this issue…

+6
bondarenkod on Aug 12, 2023

As a workaround on the machine I’ve launched: brew unlink openssl This way openssl3 is still installed and available for other formulas that will look for libssl but the executable will point to the os bundled version.

+6
fdelfrari on Jul 12, 2023

@pthexton thanks for reporting this! We’re currently working on higher-priority issues, but we’ll get back to this soon.

+5
max-zaytsev on Jun 29, 2023

Closing the issue, since the fix seems working. Thanks, @bondarenkod for confirmation!

@pthexton please feel free to reopen it in case the error is still actual.

+3
DmitriiBobreshev on Aug 16, 2023

Seems resolved with the new macos-13 image that was released 9 hours ago. ☺️

+3
bart-kace on Aug 2, 2023

I’m facing this issue on Microsoft Hosted too.

Same here, can’t seem to build at all at the moment.

Edit: I downgraded from macOS-13 to macOS-12 and this seems to be working okay again. I did the upgrade to 13 today, so I guess I’ll be going back again. The problem is that we can’t use the newer Xcode versions now since they don’t seem to be installed on macOS-12

+3
Mittchel on Aug 1, 2023

opensslPkcsArgs arguments gets passed through fine ? @bondarenkod

yep! image

It seems that the issue you’re encountering might be related to an outdated version of OpenSSL. To resolve this, I recommend upgrading OpenSSL to the latest version. This upgrade is particularly important as recent versions of PowerShell require a current version of OpenSSL for optimal performance. Although I don’t have extensive details at the moment, I began experiencing similar issues immediately after updating PowerShell through Brew. After that I started using this flag.

+1
bondarenkod on Jan 14, 2024

FYI: workarounds posted above regarding path edit or brew unlink will not work on hosted machines because of the InstallAppleCertificateV2’s pre-job task.

+1
mikklfr on Aug 1, 2023

Same here on hosted agent. Quick fix, if possible downgrade to macOS-12

+1
Komdosh on Aug 1, 2023

Just started seeing this today. Could look like the new image release is breaking this: https://github.com/actions/runner-images/releases/tag/macos-13%2F20230731.2

+1
Cheesebaron on Aug 1, 2023

I’m facing this issue on Microsoft Hosted too.

+1
muak on Aug 1, 2023
Read more comments on GitHub
← azure-pipelines-tasks: [BUG]: HelmDeploy@0 Task Deletes the KUBECONFIG file when connectionType = 'None'
azure-pipelines-tasks: [BUG]: No data was written into the file (Docker@2) →