[BUG]: InstallAppleCertificate@2 not working since macos-14 20241106.300

[reinhardlackner]

New issue checklist

• I searched for existing GitHub issues
• I read pipeline troubleshooting guide
• I checked how to collect logs

Task name

InstallAppleCertificate@2

Task version

2

Issue Description

• task: InstallAppleCertificate@2
  displayName: 'Install Apple Certificate'
  inputs:
  certSecureFile: $(certSigningAppleCertName)
  certPwd: '$(certSigningAppleCertPassword)'
  keychain: 'temp'

When the Microsoft Hosted Agent is running with Image MacOS-latest (or macOs-14), one of the following images are used:

• Image: macos-14, Version: 20241106.300 (NOT WORKING)
• Image: macos-14, Version: 20241022.254 (LAST WORKING VERSION)

If the newest version: 20241106.300 is used, it is no longer possible to install an Apple Certificate in temp keychain.
Exporting a new p12 certificate file in MacOS and adding to DevOps Library did not help => seems to be an issue in the task for the new image version (and not with an old encryption of the certificate).

Error Message:
"Error outputting keys and certificates
804FD158F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()"

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

MacOS

Relevant log output

************* DIFFERENCE ***************

Version: 20241106.300 (NOT WORKING)

2024-11-07T17:33:20.5104470Z [command]/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/MyCertificate.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
2024-11-07T17:33:20.5305620Z Error outputting keys and certificates
2024-11-07T17:33:20.5321410Z 804FD158F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

20241022.254 (LAST WORKING VERSION - sample of other build)

2024-11-07T17:32:01.0213600Z [command]/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/MyCertificate.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
2024-11-07T17:32:01.0961830Z ##[debug]success of first tool:true

************** LOG Initialize job **************

2024-11-07T17:33:16.0718640Z ##[section]Starting: Initialize job
2024-11-07T17:33:16.0720850Z Agent name: 'Hosted Agent'
2024-11-07T17:33:16.0721290Z Agent machine name: 'Mac-1730999632554'
2024-11-07T17:33:16.0721520Z Current agent version: '3.246.0'
2024-11-07T17:33:16.0753870Z ##[group]Operating System
2024-11-07T17:33:16.0754110Z macOS
2024-11-07T17:33:16.0754240Z 14.7.1
2024-11-07T17:33:16.0754360Z 23H222
2024-11-07T17:33:16.0754490Z ##[endgroup]
2024-11-07T17:33:16.0754660Z ##[group]Runner Image
2024-11-07T17:33:16.0754820Z Image: macos-14
2024-11-07T17:33:16.0754980Z Version: 20241106.300
2024-11-07T17:33:16.0755280Z Included Software: https://github.com/actions/runner-images/blob/macos-14/20241106.300/images/macos/macos-14-Readme.md
2024-11-07T17:33:16.0755660Z Image Release: https://github.com/actions/runner-images/releases/tag/macos-14%2F20241106.300
2024-11-07T17:33:16.0756010Z ##[endgroup]
2024-11-07T17:33:16.0756190Z ##[group]Runner Image Provisioner
2024-11-07T17:33:16.0756420Z 2.0.384.1+6d6c56aa16f1b9c7dd7935df5d63980397e44def
2024-11-07T17:33:16.0756620Z ##[endgroup]
2024-11-07T17:33:16.0760300Z Current image version: '20241106.300'
2024-11-07T17:33:16.1639110Z Agent running as: 'runner'
2024-11-07T17:33:16.1674010Z ##[debug]Triggering repository: TestMobile. repository type: Git
2024-11-07T17:33:16.1678150Z Prepare build directory.
2024-11-07T17:33:16.1870160Z ##[debug]Creating build directory: '/Users/runner/work/1'
2024-11-07T17:33:16.1875480Z ##[debug]Delete existing artifacts directory: '/Users/runner/work/1/a'
2024-11-07T17:33:16.1877910Z ##[debug]Creating artifacts directory: '/Users/runner/work/1/a'
2024-11-07T17:33:16.1880040Z ##[debug]Delete existing test results directory: '/Users/runner/work/1/TestResults'
2024-11-07T17:33:16.1880730Z ##[debug]Creating test results directory: '/Users/runner/work/1/TestResults'
2024-11-07T17:33:16.1882600Z ##[debug]Creating binaries directory: '/Users/runner/work/1/b'
2024-11-07T17:33:16.1884410Z ##[debug]Creating source directory: '/Users/runner/work/1/s'
2024-11-07T17:33:16.1946320Z Set build variables.
2024-11-07T17:33:16.1977480Z Download all required tasks.
2024-11-07T17:33:16.2124170Z Downloading task: InstallAppleCertificate (2.246.5)
2024-11-07T17:33:18.0108820Z ##[debug]Task 'InstallAppleCertificate' has been downloaded into '/Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5'.
2024-11-07T17:33:18.0766820Z Checking job knob settings.
2024-11-07T17:33:18.0769710Z Knob: DockerActionRetries = true Source: $(VSTSAGENT_DOCKER_ACTION_RETRIES)
2024-11-07T17:33:18.0770170Z Knob: AgentToolsDirectory = /Users/runner/hostedtoolcache Source: ${AGENT_TOOLSDIRECTORY}
2024-11-07T17:33:18.0771580Z Knob: UseGitLongPaths = true Source: $(USE_GIT_LONG_PATHS)
2024-11-07T17:33:18.0773530Z Knob: EnableIssueSourceValidation = true Source: $(ENABLE_ISSUE_SOURCE_VALIDATION)
2024-11-07T17:33:18.0774360Z Knob: AgentEnablePipelineArtifactLargeChunkSize = true Source: $(AGENT_ENABLE_PIPELINEARTIFACT_LARGE_CHUNK_SIZE)
2024-11-07T17:33:18.0776710Z Knob: ContinueAfterCancelProcessTreeKillAttempt = true Source: $(VSTSAGENT_CONTINUE_AFTER_CANCEL_PROCESSTREEKILL_ATTEMPT)
2024-11-07T17:33:18.0777500Z Knob: ProcessHandlerSecureArguments = false Source: $(AZP_75787_ENABLE_NEW_LOGIC)
2024-11-07T17:33:18.0778040Z Knob: ProcessHandlerSecureArguments = false Source: $(AZP_75787_ENABLE_NEW_LOGIC_LOG)
2024-11-07T17:33:18.0778560Z Knob: ProcessHandlerTelemetry = true Source: $(AZP_75787_ENABLE_COLLECT)
2024-11-07T17:33:18.0779140Z Knob: UseNewNodeHandlerTelemetry = True Source: $(DistributedTask.Agent.USENEWNODEHANDLERTELEMETRY)
2024-11-07T17:33:18.0780630Z Knob: ProcessHandlerEnableNewLogic = true Source: $(AZP_75787_ENABLE_NEW_PH_LOGIC)
2024-11-07T17:33:18.0781460Z Knob: EnableResourceMonitorDebugOutput = true Source: $(AZP_ENABLE_RESOURCE_MONITOR_DEBUG_OUTPUT)
2024-11-07T17:33:18.0782060Z Knob: EnableResourceUtilizationWarnings = true Source: $(AZP_ENABLE_RESOURCE_UTILIZATION_WARNINGS)
2024-11-07T17:33:18.0782850Z Knob: IgnoreVSTSTaskLib = true Source: $(AZP_AGENT_IGNORE_VSTSTASKLIB)
2024-11-07T17:33:18.0783700Z Knob: FailJobWhenAgentDies = true Source: $(FAIL_JOB_WHEN_AGENT_DIES)
2024-11-07T17:33:18.0784370Z Knob: CheckForTaskDeprecation = true Source: $(AZP_AGENT_CHECK_FOR_TASK_DEPRECATION)
2024-11-07T17:33:18.0785140Z Knob: CheckIfTaskNodeRunnerIsDeprecated246 = True Source: $(DistributedTask.Agent.CheckIfTaskNodeRunnerIsDeprecated246)
2024-11-07T17:33:18.0785900Z Knob: UseNode20ToStartContainer = True Source: $(DistributedTask.Agent.UseNode20ToStartContainer)
2024-11-07T17:33:18.0786580Z Knob: LogTaskNameInUserAgent = true Source: $(AZP_AGENT_LOG_TASKNAME_IN_USERAGENT)
2024-11-07T17:33:18.0787140Z Knob: UseFetchFilterInCheckoutTask = true Source: $(AGENT_USE_FETCH_FILTER_IN_CHECKOUT_TASK)
2024-11-07T17:33:18.0787780Z Knob: Rosetta2Warning = true Source: $(ROSETTA2_WARNING)
2024-11-07T17:33:18.0788970Z Knob: AddForceCredentialsToGitCheckout = True Source: $(DistributedTask.Agent.AddForceCredentialsToGitCheckout)
2024-11-07T17:33:18.0789510Z Finished checking job knob settings.
2024-11-07T17:33:18.1313630Z ##[debug]Log plugin 'TestResultLogPlugin' is disabled.
2024-11-07T17:33:18.1314270Z ##[debug]Log plugin 'TestFilePublisherPlugin' is disabled.
2024-11-07T17:33:18.1315000Z Start tracking orphan processes.
2024-11-07T17:33:18.1422890Z ##[section]Finishing: Initialize job

Full task logs with system.debug enabled

2024-11-07T17:33:18.2055190Z ##[debug]Evaluating condition for step: 'Install Apple Certificate'
2024-11-07T17:33:18.2102670Z ##[debug]Evaluating: SucceededNode()
2024-11-07T17:33:18.2109050Z ##[debug]Evaluating SucceededNode:
2024-11-07T17:33:18.2147150Z ##[debug]=> True
2024-11-07T17:33:18.2156520Z ##[debug]Result: True
2024-11-07T17:33:18.2224630Z ##[section]Starting: Install Apple Certificate
2024-11-07T17:33:18.2410730Z ==============================================================================
2024-11-07T17:33:18.2411350Z Task : Install Apple certificate
2024-11-07T17:33:18.2411750Z Description : Install an Apple certificate required to build on a macOS agent machine
2024-11-07T17:33:18.2411990Z Version : 2.246.5
2024-11-07T17:33:18.2412340Z Author : Microsoft Corporation
2024-11-07T17:33:18.2412730Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/install-apple-certificate
2024-11-07T17:33:18.2412980Z ==============================================================================
2024-11-07T17:33:18.3539480Z ##[debug]Using node path: /Users/runner/runners/3.246.0/externals/node20_1/bin/node
2024-11-07T17:33:18.7952440Z ##[debug]system.debug=True
2024-11-07T17:33:18.8447410Z ##[debug]DistributedTask.Tasks.Node.SkipDebugLogsWhenDebugModeOff=True
2024-11-07T17:33:18.8516860Z ##[debug]agent.TempDirectory=/Users/runner/work/_temp
2024-11-07T17:33:18.8552470Z ##[debug]loading inputs and endpoints
2024-11-07T17:33:18.8610280Z ##[debug]loading INPUT_CERTSECUREFILE
2024-11-07T17:33:18.8646350Z ##[debug]loading INPUT_CERTPWD
2024-11-07T17:33:18.8755520Z ##[debug]loading INPUT_KEYCHAIN
2024-11-07T17:33:18.8769100Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2024-11-07T17:33:18.8782000Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2024-11-07T17:33:18.8795860Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2024-11-07T17:33:18.8821210Z ##[debug]loading SECUREFILE_TICKET_70c6b661-280a-461e-acb7-70bfb66d643e
2024-11-07T17:33:18.8838090Z ##[debug]loading SECRET_CERTSIGNINGANDROIDPASSWORD
2024-11-07T17:33:18.8851190Z ##[debug]loading SECRET_PUBLISHFTPPASSWORD
2024-11-07T17:33:18.8884300Z ##[debug]loading SECRET_CERTSIGNINGUWPPASSWORD
2024-11-07T17:33:18.8901470Z ##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
2024-11-07T17:33:18.8910100Z ##[debug]loading SECRET_STOREAPPLEAPIKEYID
2024-11-07T17:33:18.8930160Z ##[debug]loading SECRET_STOREAPPLEAPIISSUERID
2024-11-07T17:33:18.8933480Z ##[debug]loading SECRET_PUBLISHPRIVATEFTPPASSWORD
2024-11-07T17:33:18.8949820Z ##[debug]loading SECRET_ADMINSQLCONNECTIONSTRING
2024-11-07T17:33:18.8959200Z ##[debug]loading SECRET_DEVWEBSERVERPASSWORD
2024-11-07T17:33:18.8986500Z ##[debug]loading SECRET_CERTSIGNINGAPPLECERTPASSWORD
2024-11-07T17:33:18.9035610Z ##[debug]loading SECRET_STOREAPPLEAPIKEYCONTENTBASE64
2024-11-07T17:33:18.9065160Z ##[debug]loaded 18
2024-11-07T17:33:18.9084410Z ##[debug]Agent.ProxyUrl=undefined
2024-11-07T17:33:18.9089290Z ##[debug]Agent.CAInfo=undefined
2024-11-07T17:33:18.9098520Z ##[debug]Agent.ClientCert=undefined
2024-11-07T17:33:18.9111890Z ##[debug]Agent.SkipCertValidation=undefined
2024-11-07T17:33:18.9137250Z ##[debug]check path : /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5/node_modules/azure-pipelines-tasks-ios-signing-common/module.json
2024-11-07T17:33:18.9159330Z ##[debug]adding resource file: /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5/node_modules/azure-pipelines-tasks-ios-signing-common/module.json
2024-11-07T17:33:18.9217320Z ##[debug]system.culture=en-US
2024-11-07T17:33:18.9229160Z ##[debug]check path : /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5/task.json
2024-11-07T17:33:18.9261850Z ##[debug]adding resource file: /Users/runner/work/_tasks/InstallAppleCertificate_d2eff759-736d-4b7b-8554-7ba0960d49d6/2.246.5/task.json
2024-11-07T17:33:18.9296140Z ##[debug]system.culture=en-US
2024-11-07T17:33:18.9315090Z ##[debug]certSecureFile=70c6b661-280a-461e-acb7-70bfb66d643e
2024-11-07T17:33:18.9325170Z ##[debug]opensslPkcsArgs=undefined
2024-11-07T17:33:18.9344510Z ##[debug]System.TeamFoundationCollectionUri=https://xxxxxxxx.visualstudio.com/
2024-11-07T17:33:18.9366540Z ##[debug]SYSTEMVSSCONNECTION auth param ACCESSTOKEN = ***
2024-11-07T17:33:18.9385940Z ##[debug]Secure file retry count set to: 8
2024-11-07T17:33:18.9393450Z ##[debug]Agent.ProxyUrl=undefined
2024-11-07T17:33:18.9397800Z ##[debug]secure file name for id 70c6b661-280a-461e-acb7-70bfb66d643e = MyCertificate.p12
2024-11-07T17:33:18.9617180Z ##[debug]Agent.TempDirectory=/Users/runner/work/_temp
2024-11-07T17:33:18.9629720Z ##[debug]Absolute path for pathSegments: /Users/runner/work/_temp,MyCertificate.p12 = /Users/runner/work/_temp/MyCertificate.p12
2024-11-07T17:33:18.9637050Z ##[debug]Downloading secure file contents to: /Users/runner/work/_temp/MyCertificate.p12
2024-11-07T17:33:20.2117510Z ##[debug]secure file ticket for id 70c6b661-280a-461e-acb7-70bfb66d643e = ***
2024-11-07T17:33:20.2120430Z ##[debug]SYSTEM.TEAMPROJECT=MobileApp
2024-11-07T17:33:20.4963640Z ##[debug]Downloaded secure file contents to: /Users/runner/work/_temp/MyCertificate.p12
2024-11-07T17:33:20.4964930Z ##[debug]certPwd=***
2024-11-07T17:33:20.4966090Z ##[debug]which 'openssl'
2024-11-07T17:33:20.4989780Z ##[debug]found: '/usr/local/bin/openssl'
2024-11-07T17:33:20.4990590Z ##[debug]which '/usr/local/bin/openssl'
2024-11-07T17:33:20.4991270Z ##[debug]found: '/usr/local/bin/openssl'
2024-11-07T17:33:20.4992740Z ##[debug]/usr/local/bin/openssl arg: ["pkcs12","-in","/Users/runner/work/_temp/MyCertificate.p12","-nokeys","-passin","pass:"]
2024-11-07T17:33:20.4993560Z ##[debug]which '/usr/local/bin/openssl'
2024-11-07T17:33:20.4994150Z ##[debug]found: '/usr/local/bin/openssl'
2024-11-07T17:33:20.4995280Z ##[debug]/usr/local/bin/openssl arg: ["x509","-sha1","-noout","-fingerprint","-subject","-dates","-nameopt","utf8,sep_semi_plus_space"]
2024-11-07T17:33:20.4996030Z ##[debug]exec tool: /usr/local/bin/openssl
2024-11-07T17:33:20.4997000Z ##[debug]arguments:
2024-11-07T17:33:20.4998360Z ##[debug] pkcs12
2024-11-07T17:33:20.4999030Z ##[debug] -in
2024-11-07T17:33:20.5000020Z ##[debug] /Users/runner/work/_temp/MyCertificate.p12
2024-11-07T17:33:20.5000650Z ##[debug] -nokeys
2024-11-07T17:33:20.5001180Z ##[debug] -passin
2024-11-07T17:33:20.5001850Z ##[debug] pass:
2024-11-07T17:33:20.5104470Z [command]/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/MyCertificate.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
2024-11-07T17:33:20.5305620Z Error outputting keys and certificates
2024-11-07T17:33:20.5321410Z 804FD158F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2024-11-07T17:33:20.5323650Z ##[debug]success of first tool:false
2024-11-07T17:33:20.5401400Z Could not find certificate from
2024-11-07T17:33:20.5417530Z ##[debug]rc:1
2024-11-07T17:33:20.5419400Z ##[debug]success:false
2024-11-07T17:33:20.5460520Z ##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
2024-11-07T17:33:20.5466550Z ##[debug]Processed: ##vso[task.issue type=warning;source=TaskInternal;correlationId=337d276c-a97a-44e8-8a24-d98fc8128eef;]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
2024-11-07T17:33:20.5467970Z ##[debug]task result: Failed
2024-11-07T17:33:20.5469090Z ##[error]Error: /usr/local/bin/openssl failed with return code: 1
2024-11-07T17:33:20.5469780Z ##[debug]Processed: ##vso[task.issue type=error;source=TaskInternal;correlationId=337d276c-a97a-44e8-8a24-d98fc8128eef;]Error: /usr/local/bin/openssl failed with return code: 1
2024-11-07T17:33:20.5477640Z ##[debug]Processed: ##vso[task.complete result=Failed;]Error: /usr/local/bin/openssl failed with return code: 1
2024-11-07T17:33:20.5478570Z ##[debug]secure file name for id 70c6b661-280a-461e-acb7-70bfb66d643e = MyCertificate.p12
2024-11-07T17:33:20.5503890Z ##[debug]Agent.TempDirectory=/Users/runner/work/_temp
2024-11-07T17:33:20.5505010Z ##[debug]Absolute path for pathSegments: /Users/runner/work/_temp,MyCertificate.p12 = /Users/runner/work/_temp/MyCertificate.p12
2024-11-07T17:33:20.5507830Z ##[debug]Deleting secure file at: /Users/runner/work/_temp/MyCertificate.p12
2024-11-07T17:33:20.5508600Z ##[debug]rm -rf /Users/runner/work/_temp/MyCertificate.p12
2024-11-07T17:33:20.5509240Z ##[debug]removing file
2024-11-07T17:33:20.5555280Z ##[section]Finishing: Install Apple Certificate

Repro steps

• job: iOS
  pool:
  vmImage: 'macos-14'

  steps:

  • task: InstallAppleCertificate@2
    displayName: 'Install Apple Certificate'
    inputs:
    certSecureFile: 'MyCertificate.p12'
    certPwd: '$(certSigningAppleCertPassword)'
    keychain: 'temp'

[zachdean]

@reinhardlackner this issue was because they updated the runner images to use openssl 3 by default (actions/runner-images#10817). Unfortunately, it looks like the hosted runners are now currently in in a mixed batch of openssl 3 and openssl1.1. I wrote a script to get around the issue until it is resolved and the task is updated.

  - task: DownloadSecureFile@1
    displayName: 'Download Apple Distribution Certificates'
    name: appleCertificate
    inputs:
        secureFile: 'AppleDistributionCertificates.p12'

  - script: |
        echo "Installing Apple Distribution Certificates"
        echo $(appleCertificate.secureFilePath)
        $(Build.Repository.LocalPath)/.pipelines/ios/install-signing-certificate \
            $(appleCertificate.secureFilePath) \
            "$certificatePassword" \
    displayName: 'Install Apple Distribution Certificates'
    env:
        certificatePassword: $(IosSigningCertificatePassword)

$(Build.Repository.LocalPath)/.pipelines/ios/install-signing-certificate

#!/usr/bin/env bash

install_certificate()
{
    local certificate_path="${1}"
    local password="${2}"
    local legacy=''
    local openssl_version=''
    local major_version=''
    local common_name=''
    local subject=''

    # Check OpenSSL version
    openssl_version=$(/usr/local/bin/openssl version | awk '{print $2}')
    major_version=$(echo "$openssl_version" | cut -d. -f1)
    echo "OpenSSL version: $openssl_version"
    echo "OpenSSL major version: $major_version"
    if [[ "$major_version" -gt 1 ]]; then
        legacy='-legacy'
    fi

    /usr/local/bin/openssl pkcs12 $legacy -in "$certificate_path" -nokeys -passin pass:"$password" | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
    
    subject=$(/usr/local/bin/openssl pkcs12 $legacy -in "$certificate_path" -nokeys -passin pass:"$password" | /usr/local/bin/openssl x509 -noout -subject -nameopt utf8,sep_semi_plus_space)
    echo "Subject: $subject"
    
    common_name=$(echo "$subject" | awk -F'CN=' '{print $2}' | awk -F'[;]' '{print $1}')

    echo "Common Name: $common_name"

    /usr/bin/security create-keychain -p "$password" /Users/runner/work/_temp/ios_signing_temp.keychain

    /usr/bin/security set-keychain-settings -lut 21600 /Users/runner/work/_temp/ios_signing_temp.keychain

    /usr/bin/security unlock-keychain -p "$password" /Users/runner/work/_temp/ios_signing_temp.keychain

    /usr/bin/security import "$certificate_path" -P "$password" -A -t cert -f pkcs12 -k /Users/runner/work/_temp/ios_signing_temp.keychain

    /usr/bin/security list-keychain -d user

    /usr/bin/security list-keychain -d user -s /Users/runner/work/_temp/ios_signing_temp.keychain /Users/runner/Library/Keychains/login.keychain-db

    /usr/bin/security list-keychain -d user
    
    ## Set the certificate name to be used later in the build
    echo "setting APPLE_CERTIFICATE_SIGNING_IDENTITY to '$common_name'"
    echo "##vso[task.setvariable variable=APPLE_CERTIFICATE_SIGNING_IDENTITY]$common_name"
}

install_certificate "$@"

[Liabaemt]

October 2024 -New Relic General Data Privacy Notice.pdf
gitgitgadget-main.zip
progit.pdf
DuckDuckGo.pdf.pdf

github-recovery-codes.txt
October 2024 -New Relic General Data Privacy Notice.pdf
[wp254_rev_01_art29_wp_adequacy_referential_7393A136-AFD6-4CF7-735B8E950478E2BB_5.docx
Associated Press Stylebook.docx
CP575Notice_1730318361374.docx
](url)

[akhilvswoodplc]

Any workaround for this issue

[ivanduplenskikh]

@zachdean @akhilvswoodplc, thank you for bringing this issue to our attention.
We are currently addressing it and aim to have it resolved as quickly as possible.

[holomouse]

A possible workaround would be to add -legacy flag to the openssl command, however the flag is not properly passed to the command, a related bug #19383

[andriikut]

A possible workaround would be to add -legacy flag to the openssl command, however the flag is not properly passed to the command, a related bug #19383

I can confirm

     - task: InstallAppleCertificate@2
        displayName: 'Install an Apple certificate'
        inputs:
          certSecureFile: '${{ parameters.iosCertificate }}'
          certPwd: '${{ parameters.iosCertificatePassword }}'
          opensslPkcsArgs: '-legacy'

Output

##[debug]/usr/local/bin/openssl arg: ["x509","-sha1","-noout","-fingerprint","-subject","-dates","-nameopt","utf8,sep_semi_plus_space"]
##[debug]exec tool: /usr/local/bin/openssl
##[debug]arguments:
##[debug] pkcs12
##[debug] -in
##[debug] /Users/runner/work/_temp/iOS-Distribution.p12
##[debug] -nokeys
##[debug] -passin
##[debug] pass:***
##[debug] -legacy
/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/iOS-Distribution.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
##[debug]success of first tool:false
unable to load certificate
140704366591488:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
##[debug]rc:1
##[debug]success:false

[andriikut]

Build is currently running, looks like I was able to import cert with tasks below.

      - task: DownloadSecureFile@1
        displayName: 'Download an Apple certificate'
        inputs:
          secureFile: '${{ parameters.iosCertificate }}'

      - script: |
          openssl pkcs12 -in $(Agent.TempDirectory)/${{ parameters.iosCertificate }} -out cert.pem -nokeys -passin pass:${{ parameters.iosCertificatePassword }}
          security import cert.pem -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign
        displayName: 'Install Apple Certificate via OpenSSL'

##[debug]failOnStderr=false
##[debug]script=openssl pkcs12 -in /Users/runner/work/_temp/iOS-Distribution.p12 -out cert.pem -nokeys -passin pass:***
security import cert.pem -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign
1 certificate imported.
##[debug]Exit code 0 received from tool '/bin/bash'
##[debug]STDIO streams have closed for tool '/bin/bash'
##[debug]task result: Succeeded

[OliverBrown-Next]

@zachdean Thank you for that script, that is working for me.

[holomouse]

Build is currently running, looks like I was able to import cert with tasks below.

      - task: DownloadSecureFile@1
        displayName: 'Download an Apple certificate'
        inputs:
          secureFile: '${{ parameters.iosCertificate }}'

      - script: |
          openssl pkcs12 -in $(Agent.TempDirectory)/${{ parameters.iosCertificate }} -out cert.pem -nokeys -passin pass:${{ parameters.iosCertificatePassword }}
          security import cert.pem -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign
        displayName: 'Install Apple Certificate via OpenSSL'

##[debug]failOnStderr=false ##[debug]script=openssl pkcs12 -in /Users/runner/work/_temp/iOS-Distribution.p12 -out cert.pem -nokeys -passin pass:*** security import cert.pem -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign 1 certificate imported. ##[debug]Exit code 0 received from tool '/bin/bash' ##[debug]STDIO streams have closed for tool '/bin/bash' ##[debug]task result: Succeeded

This doesn't work for me on the 20241106.300 image :(