[BUG]: InstallAppleCertificate STILL fails to install certificates #19607
Comments
|
@AlphaNERD- thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one soon. |
|
Uuuh... devs... When is "soon" happening? The build is still failing more than 60 days later. |
|
For me the issue was that I exported only they key and not the key and certificate (using keychain access) |
|
Just to be sure, how do you do it? And how do you use them in the YAML pipeline? |
|
In keychain access, select both the key & cert then right click to export to .p12 |
|
Unfortunately that didn't help. I sure wonder when Microsoft will help... Or whether DevOps is getting the Visual Studio App Center treatment. |
|
I kind of found a workaround for this. I say "kind of" because I don't recommend anyone does this. But essentially I just downloaded and installed the certificate myself: - task: DownloadSecureFile@1
name: downloadDevCert
displayName: 'Download Apple Certificate'
inputs:
secureFile: 'yourcertificate.p12'
- bash: |
echo "Received secret: $CERT_PASSWORD"
security import $(downloadDevCert.secureFilePath) -k ~/Library/Keychains/login.keychain -P yourp4ww0rdw!ch!sn0l0ng3r53cur3
env:
CERT_PASSWORD: $(P12password)
displayName: 'Install signing certificate'The reason I don't recommend anyone does this is because the secrets don't work. The output just shows: Received secret: $(P12password)Instead of what I expect to see which is: Received secret: ****Which is why I've put the secret directly in the command and why I say it's no longer secure. But at least this got me over this specific bump. I've tried this a few different ways (and followed the docs) but if someone can explain to me what I'm doing wrong, and perhaps make this a viable (and secure) workaround for others, then that would be appreciated. |
|
It's good to see that in the tradition of this issue it's just being ignored and left to go stale!!! ;-) |
In Azure Pipeline library variables, right next to the value field there is a lock icon |
The issue is specifically that this doesn't work. Hence the workaround of entering the value directly into the pipeline. |
Did you declare your variables? Then I can use the variable normally like this |
|
@weeb-destroyer of course, been using other secrets throughout the pipeline. It was just this one not working. This was months ago, perhaps it's been fixed, perhaps was a glitch. Given it's been building smoothly since then I haven't gone back and checked but I suppose I should. |
|
This suddenly started happening for us today, with an Apple certificate created 7 months ago so not really that old. I suspected maybe a particular macOS VM image version was bad, but I got both good and bad builds on the exact same versions:
When debugging, the bad builds used OpenSSL 1.1.1w - script: |
which openssl
/usr/bin/openssl version
openssl version
displayName: OpenSSL stuff
condition: always()Output: Posting this for anyone else having similar, flaky issues. Related: |
|
Yes it happens to me today, I cant build when I pass -legacy on openssl argument it solved for one succeeding build but when I rebuild my app is says pkcs12: Unrecognized flag legacy |
|
Same for me. Today the same config and certs worked well but a few hours later it fails with: Starting: Install an Apple certificate ============================================================================== Task : Install Apple certificate ============================================================================== /usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/Development.p12 -nokeys -passin pass:*** -legacy | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space What happened? How can we fix this? |
|
This a work around for me but I hardcoded the cert pass for now this script can't read a variable even I add a env: parameter it always empty value.
|
|
Some info about my case, I have 2 jobs running one for release and one for dev. It seems that the first one fails and the second one passes, no mater which one is the first one. As mentioned already this worked perfectly till some hours ago. |
~~ Indeed downloading the cert before installing it worked for me... maybe the install cert plugin doesn't download it anymore? ~~ EDIT: |
|
Seems like Microsoft published a fix in macos-15 20241106.316. With macos-15 20241022.244 I still see failing builds with "pkcs12: Unrecognized flag legacy" warning included. The unfortunate thing: 20241106.316 does not seem to be published to all hosted agents as of now. Edit: It seems like we need "-legacy" for 20241106.316, but need to omit it for 20241022.244. This way both configurations work fine. But as of now I do not see a way to determine the exact image version and decide if |
|
Thanks @thisisthekap! Same problem here. In my case I'm not including the "legacy" flag, so it succeeds in macos-15 20241022.244 and fails in macos-15 20241106.316. |
|
@arnauZurich As @mjosipovic-tgr suggested in actions/runner-images#10703 (comment), you could use 2 copies of the InstallAppleCertificate task. One with |
|
@thisisthekap Thanks! It worked on our side too! |
New issue checklist
Task name
InstallAppleCertificate@2
Task version
2.231.1
Issue Description
Hello Azure DevOps devs,
i've begun to rebuild my CD pipeline as part of an ongoing migration of my iOS app to .NET 8. Currently my pipeline keeps failing at the InstallAppleCertificate task.
I've made sure that the certificate and provisioning profile are up-to-date and i've looked up the issue on GitHub. People have suggested to pass the flag
-legacyto the task whenever the issue was reported, however the-legacyflag is not recognized by openssl. The latest Github Issue ended with a user still facing this issue, however the issue was closed solely because the-legacyflag was passed on to openssl. (#19436). The user still couldn't install the certificate.Another issue (#19383) was closed because the user regenerated their certificate and yet another issue (#18560) was closed because of... i don't know, because nobody reported it as fixed or as going stale or whatever. Someone suggested that the OpenSSL version was outdated, however i don't know how to update it or whether i can update it on hosted images. I tried out Microsoft's images macos-11, macos-12 and macos-13 too.
Environment type (Please select at least one enviroment where you face this issue)
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
macos-13
Relevant log output
Full task logs with system.debug enabled
Repro steps
The text was updated successfully, but these errors were encountered: