Skip to content

[skip changelog] Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS #12 #2002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 7, 2022
Merged

[skip changelog] Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS #12 #2002

merged 1 commit into from
Dec 7, 2022

Conversation

per1234
Copy link
Contributor

@per1234 per1234 commented Dec 7, 2022

Please check if the PR fulfills these requirements

See how to contribute

  • The PR has no duplicates (please search among the Pull Requests
    before creating one)
  • The PR follows
    our contributing guidelines
  • [N/A] Tests for the changes have been added (for bug fixes / features)
  • [N/A] Docs have been added / updated (for bug fixes / features)
  • [N/A] UPGRADING.md has been updated with a migration guide (for breaking changes)

What kind of change does this PR introduce?

Infrastructure fix

What is the current behavior?

The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates.

Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm.

Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in OpenSSL 3.x.

The macOS signing certificate uses this RC2-40-CBC encryption.

The "Check Certificates" GitHub Actions workflow runs on the ubuntu-latest runner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job:

https://github.com/arduino/arduino-cli/actions/runs/3634539791/jobs/6132720176#step:5:16

Error outputting keys and certificates
80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

What is the new behavior?

Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the -legacy flag to the openssl pkcs12 commands.

Does this PR introduce a breaking change, and is titled accordingly?

No breaking change.

@per1234
[skip changelog] Restore certificate check compatibility w/ RC2-40-CB…
a5f5403 
…C encrypted PKS #12

The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing
certificates.

Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC"
algorithm.

Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in
OpenSSL 3.x.

The macOS signing certificate uses this RC2-40-CBC encryption.

The "Check Certificates" GitHub Actions workflow runs on the `ubuntu-latest` runner. Previously, this runner used Ubuntu
20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to
3.0.2. This caused the workflow runs to fail on the macOS certificate job:

Error outputting keys and certificates
80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So
compatibility with the certificate is restored by adding the `-legacy` flag to the `openssl pkcs12` commands.
@per1234 per1234 added topic: infrastructure Related to project infrastructure type: imperfection Perceived defect in any part of project labels Dec 7, 2022
@per1234 per1234 self-assigned this Dec 7, 2022
@per1234 per1234 merged commit 90771be into master Dec 7, 2022
@per1234 per1234 deleted the per1234/fix-check-certificates branch December 7, 2022 10:25
@per1234 per1234 mentioned this pull request Dec 7, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@umbynos umbynos umbynos approved these changes

@MatteoPologruto MatteoPologruto MatteoPologruto approved these changes

Assignees

@per1234 per1234

Labels
topic: infrastructure Related to project infrastructure type: imperfection Perceived defect in any part of project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@per1234 @umbynos @MatteoPologruto