[skip changelog] Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS #12 (#2002)

The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates. Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm. Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in OpenSSL 3.x. The macOS signing certificate uses this RC2-40-CBC encryption. The "Check Certificates" GitHub Actions workflow runs on the `ubuntu-latest` runner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job: Error outputting keys and certificates 80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the `-legacy` flag to the `openssl pkcs12` commands.

[skip changelog] Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS #12 (#2002)
The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates. Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm. Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in OpenSSL 3.x. The macOS signing certificate uses this RC2-40-CBC encryption. The "Check Certificates" GitHub Actions workflow runs on the `ubuntu-latest` runner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job: Error outputting keys and certificates 80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the `-legacy` flag to the `openssl pkcs12` commands.
90771beb · per1234 · GitHub · bc5cf6d7 · 90771beb
Unverified Commit 90771beb authored Dec 07, 2022 by per1234 Committed by GitHub Dec 07, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

.github/workflows/check-certificates.yml .github/workflows/check-certificates.yml +4 -1

No files found.
--- a/.github/workflows/check-certificates.yml
+++ b/.github/workflows/check-certificates.yml
@@ -59,7 +59,9 @@ jobs:
          (
            openssl pkcs12 \
              -in "${{ env.CERTIFICATE_PATH }}" \
-              -noout -passin env:CERTIFICATE_PASSWORD
+              -legacy \
+              -noout \
+              -passin env:CERTIFICATE_PASSWORD
          ) || (
            echo "::error::Verification of ${{ matrix.certificate.identifier }} failed!!!"
            exit 1
@@ -87,6 +89,7 @@ jobs:
              openssl pkcs12 \
                -in "${{ env.CERTIFICATE_PATH }}" \
                -clcerts \
+                -legacy \
                -nodes \
                -passin env:CERTIFICATE_PASSWORD
            ) | (