Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS#12 #1745
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates. Certificates exported to PKS#12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm. Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in OpenSSL 3.x. The macOS signing certificate uses this RC2-40-CBC encryption. The "Check Certificates" GitHub Actions workflow runs on the `ubuntu-latest` runner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job: Error outputting keys and certificates 80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the `-legacy` flag to the `openssl pkcs12` commands.
per1234
added
topic: infrastructure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates.
Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm.
Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in OpenSSL 3.x.
The macOS signing certificate uses this RC2-40-CBC encryption.
The "Check Certificates" GitHub Actions workflow runs on the
ubuntu-latestrunner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job:https://github.com/arduino/arduino-ide/actions/runs/3637803834/jobs/6139239158#step:5:16
Change description
Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the
-legacyflag to theopenssl pkcs12commands.Other information
Passing "Check Certificates" workflow run from the commit proposed in this PR:
https://github.com/arduino/arduino-ide/actions/runs/3638084494
Identical change applied to the Arduino CLI repository to fix the same bug: arduino/arduino-cli#2002
Reviewer checklist