Skip to content

Commit c71210c

Browse files
janduboisjandubois
authored
Merge pull request #9760 from mook-as/cert/macos/multiple-keychains
networking: Fix macOS CA management
2 parents b0a7151 + 16fcda9 commit c71210c

1 file changed

Lines changed: 10 additions & 6 deletions

File tree

pkg/rancher-desktop/main/networking/mac-ca.ts

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,9 @@ export default async function * getMacCertificates(): AsyncIterable<string> {
2323
try {
2424
const keychains = await Array.fromAsync(listKeychains());
2525
const certLists = await Promise.all(keychains.map(async keychain => {
26-
return await Array.fromAsync(getFilteredCertificates(workdir, keychain));
26+
const keychainWorkDir = await fs.promises.mkdtemp(workdir + path.sep);
27+
28+
return await Array.fromAsync(getFilteredCertificates(keychainWorkDir, keychain));
2729
}));
2830
for (const certList of certLists) {
2931
yield * certList;
@@ -71,20 +73,22 @@ async function * getFilteredCertificates(workdir: string, keychain: string): Asy
7173
try {
7274
const cert = new crypto.X509Certificate(certPEM);
7375
const certPath = path.join(workdir, 'cert.pem');
76+
const subject = cert.subject.replace(/[\r\n]+/g, ' ');
7477

7578
if (!cert.ca) {
76-
console.debug('Skipping non-CA certificate', cert.subject);
79+
console.debug('Skipping non-CA certificate', subject);
7780
continue;
7881
}
7982
await fs.promises.writeFile(certPath, certPEM, 'utf-8');
8083
try {
81-
await spawnFile('/usr/bin/security', ['verify-cert', `-c${ certPath }`, '-L', '-l', '-Roffline'], { stdio: console });
82-
} catch (ex) {
83-
console.debug('Skipping untrusted certificate', cert.subject);
84+
await spawnFile('/usr/bin/security', ['verify-cert', `-c${ certPath }`, '-L', '-l', '-Roffline'], { stdio: ['ignore', 'ignore', 'pipe'] });
85+
} catch (ex: any) {
86+
console.debug(`Skipping untrusted certificate ${ subject }: ${ (ex.stderr?.toString() ?? ex.toString()).trim() }`);
8487
continue;
8588
}
89+
console.debug('Including certificate', subject);
8690
} catch (ex) {
87-
console.debug('Skipping certificate that could not be parsed', ex);
91+
console.debug('Skipping certificate that could not be parsed', ex, certPEM);
8892
continue;
8993
}
9094
yield certPEM;

0 commit comments

Comments
 (0)