Use OpenSSL "legacy" provider in "Check Certificates" for compatibility w/ RC2-40-CBC encrypted PKS#12 #294
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ty w/ RC2-40-CBC encrypted PKS#12 The "Check Certificates" GitHub Actions workflow template uses OpenSSL to check for problems with the project's signing certificates. Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm. Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in OpenSSL 3.x. The macOS signing certificate currently used by Arduino uses this RC2-40-CBC encryption. The "Check Certificates" GitHub Actions workflow runs on the `ubuntu-latest` runner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job: Error outputting keys and certificates 80FBB0C5087F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the `-legacy` flag to the `openssl pkcs12` commands.
per1234
added
type: imperfection
MatteoPologruto
approved these changes
Dec 7, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The "Check Certificates" GitHub Actions workflow uses OpenSSL to check for problems with the project's signing certificates.
Certificates exported to PKS #12 archive files using older tools may have been encrypted using the "RC2-40-CBC" algorithm.
Due to the availability of more secure modern alternatives, default support for RC2-40-CBC encryption was dropped in OpenSSL 3.x.
The macOS signing certificate currently used by Arduino uses this "RC2-40-CBC" encryption so it will be best to configure the workflow to still support this algorithm.
The "Check Certificates" GitHub Actions workflow runs on the
ubuntu-latestrunner. Previously, this runner used Ubuntu 20.04. This has now changed to Ubuntu 22.04. With the operating system update came an OpenSSL update from 1.1.1f to 3.0.2. This caused the workflow runs to fail on the macOS certificate job:https://github.com/arduino/arduino-cli/actions/runs/3634539791/jobs/6132720176#step:5:16
Even though no longer done by default, OpenSSL still supports RC2-40-CBC encryption via its "legacy" provider. So compatibility with the certificate is restored by adding the
-legacyflag to theopenssl pkcs12commands.