From b1c0b43df7755679720d03826f2ddb596abcb951 Mon Sep 17 00:00:00 2001
From: per1234 <accounts@perglass.com>
Date: Wed, 7 Dec 2022 03:05:20 -0800
Subject: [PATCH] Restore certificate check compatibility w/ RC2-40-CBC
 encrypted PKS#12

The "Check Notarization Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's
signing certificates.

Certificates exported to PKS#12 archive files using older tools may have been encrypted using the "RC2-40-CBC"
algorithm.

Due to the availability of more secure modern alternatives, default support for "RC2-40-CBC" encryption was dropped in
OpenSSL 3.x.

This project's macOS signing certificate uses the "RC2-40-CBC" encryption.

The "Check Notarization Certificates" GitHub Actions workflow runs on the `ubuntu-latest` runner. Previously, this runner used Ubuntu
20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to
3.0.2. This caused the workflow runs to fail on the macOS certificate job:

Error outputting keys and certificates
40B7B766147F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Even though no longer done by default, OpenSSL still supports "RC2-40-CBC" encryption via its "legacy" provider. So
compatibility with the certificate is restored by adding the `-legacy` flag to the `openssl pkcs12` commands.

This is a sync from the upstream "template" workflow:

https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/check-certificates.yml
---
 .github/workflows/check-notarization-certificates.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/check-notarization-certificates.yml b/.github/workflows/check-notarization-certificates.yml
index 4dd6807b..74b35564 100644
--- a/.github/workflows/check-notarization-certificates.yml
+++ b/.github/workflows/check-notarization-certificates.yml
@@ -56,7 +56,9 @@ jobs:
           (
             openssl pkcs12 \
               -in "${{ env.CERTIFICATE_PATH }}" \
-              -noout -passin env:CERTIFICATE_PASSWORD
+              -legacy \
+              -noout \
+              -passin env:CERTIFICATE_PASSWORD
           ) || (
             echo "::error::Verification of ${{ matrix.certificate.identifier }} failed!!!"
             exit 1
@@ -84,6 +86,7 @@ jobs:
               openssl pkcs12 \
                 -in "${{ env.CERTIFICATE_PATH }}" \
                 -clcerts \
+                -legacy \
                 -nodes \
                 -passin env:CERTIFICATE_PASSWORD
             ) | (