codemagic-ci-cd
Error: '-noenc' is an Unknown Option for OpenSSL PKCS12 on Self-Hosted MacOS Runner
Description
When using a GitHub Actions self-hosted MacOS runner, I encountered an error indicating that the -noenc option is unknown. However, running openssl pkcs12 from the command line shows that -noenc is a valid option. I am trying to understand what might be causing this discrepancy?
Environment
The error occurs on all the following setups:
- codemagic-cli-tools: from
v0.53.1to0.53.3 - OpenSSL:
3.3.1and@3.0and@1.1 - cryptography:
38.0.0and43.0.0 - Python:
3.10.11
Error Output
unknown option '-noenc'
usage: pkcs12 [-aes128 | -aes192 | -aes256 | -camellia128 |
-camellia192 | -camellia256 | -des | -des3 | -idea]
[-cacerts] [-CAfile file] [-caname name]
[-CApath directory] [-certfile file] [-certpbe alg]
[-chain] [-clcerts] [-CSP name] [-descert] [-export]
[-in file] [-info] [-inkey file] [-keyex] [-keypbe alg]
[-keysig] [-LMK] [-macalg alg] [-maciter] [-name name]
[-nocerts] [-nodes] [-noiter] [-nokeys] [-nomac]
[-nomaciter] [-nomacver] [-noout] [-out file]
[-passin arg] [-passout arg] [-password arg] [-twopass]
-aes128 Encrypt PEM output with CBC AES
-aes192 Encrypt PEM output with CBC AES
-aes256 Encrypt PEM output with CBC AES
-camellia128 Encrypt PEM output with CBC Camellia
-camellia192 Encrypt PEM output with CBC Camellia
-camellia256 Encrypt PEM output with CBC Camellia
-des Encrypt private keys with DES
-des3 Encrypt private keys with triple DES (default)
-cacerts Only output CA certificates
-CAfile file PEM format file of CA certificates
-caname name Use name as CA friendly name (can be used more than once)
-CApath directory PEM format directory of CA certificates
-certfile file Add all certs in file
-certpbe alg Specify certificate PBE algorithm (default RC2-40)
-chain Add certificate chain
-clcerts Only output client certificates
-CSP name Microsoft CSP name
-descert Encrypt PKCS#12 certificates with triple DES (default RC2-40)
-export Output PKCS#12 file
-in file Input filename
-info Give info about PKCS#12 structure
-inkey file Private key if not infile
-keyex Set MS key exchange type
-keypbe alg Specify private key PBE algorithm (default 3DES)
-keysig Set MS key signature type
-LMK Add local machine keyset attribute to private key
-macalg alg Digest algorithm used in MAC (default SHA1)
-maciter Use MAC iteration
-name name Use name as friendly name
-nocerts Don't output certificates
-nodes Don't encrypt private keys
-noiter Don't use encryption iteration
-nokeys Don't output private keys
-nomac Don't generate MAC
-nomaciter Don't use MAC iteration
-nomacver Don't verify MAC
-noout Don't output anything, just verify
-out file Output filename
-passin arg Input file passphrase source
-passout arg Output file passphrase source
*** Set import/export password source
-twopass Separate MAC, encryption passwords
Unable to export certificate: Failed to create PKCS12 container
Steps Taken
# ssh-keygen -t rsa -b 2048 -m PEM -f cert_key -q -N ""
# Providing a password with `CERTIFICATE_PRIVATE_KEY_PASSWORD` results in the same '-noenc' error
keychain initialize
app-store-connect fetch-signing-files "XXXX" \
--platform IOS \
--type IOS_APP_STORE \
--create \
--api-unauthorized-retries 50 \
--api-server-error-retries 50
keychain add-certificates
xcode-project use-profiles
@smithemely thanks for this report. Could you please provide a minimal GitHub action that could be used to reproduce the issue? You can omit all Apple's authentication info of course.
I'm having the same issues (using gitlab-runner on macOS).
Doing some digging I found, that macOS is shipped with LibreSSL 3.3.6 which still uses the old -nodes flag that has been deprecated on OpenSSL. The check to use the new -noenc just looks for the version not which library it is using.
The solution is to install openssl via brew and make sure, that brews bin dir is first in the PATH to ensure that its used instead of LibreSSL.
