Restore certificate check compatibility w/ RC2-40-CBC encrypted PKS#12 #466
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates. Certificates exported to PKS#12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm. Due to the availability of more secure modern alternatives, default support for "RC2-40-CBC" encryption was dropped in OpenSSL 3.x. This project's macOS signing certificate uses the "RC2-40-CBC" encryption. The "Check Certificates" GitHub Actions workflow runs on the `ubuntu-latest` runner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job: Error outputting keys and certificates 80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () Even though no longer done by default, OpenSSL still supports "RC2-40-CBC" encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the `-legacy` flag to the `openssl pkcs12` commands. This is a sync from the upstream "template" workflow: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/check-certificates.yml
per1234
added
topic: infrastructure
kittaakos
approved these changes
Dec 8, 2022
There was a problem hiding this comment.
It looks good based on the changes made for arduino/arduino-ide#1745. Thank you!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates.
Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm.
Due to the availability of more secure modern alternatives, default support for "RC2-40-CBC" encryption was dropped in OpenSSL 3.x.
This project's macOS signing certificate uses "RC2-40-CBC" encryption.
The "Check Certificates" GitHub Actions workflow runs on the
ubuntu-latestrunner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job:https://github.com/arduino/arduino-lint/actions/runs/3637814935/jobs/6139263908#step:5:16
Even though no longer done by default, OpenSSL still supports "RC2-40-CBC" encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the
-legacyflag to theopenssl pkcs12commands.This is a sync from the upstream "template" workflow: arduino/tooling-project-assets#294