New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[spaceship] create_certificate_signing_request
: update from SHA-1 to SHA-256
#21644
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
more thoughts
- the
fastlane_core/lib/fastlane_core/cert_checker.rb
checks the sha1 certificate. Should we support both hashes now? - why are these methods duplicated and why are we fixing only one of the doc?
create_certificate_signing_request
: update from SHA-1 to SHA-256
c05b77c
to
1542109
Compare
Probably, but that's out of the scope of this PR. I just needed this code to run correctly on Linux. The
There's quite a bit of duplicated code between
Oversight on my part. I've updated the PR to correct the typo in both files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm afraid that changing how we create CSRs without changing how we check them might break things for macOS users that use both methods (creating one using sha256 and then attempting to check/validate it using sha1), no?
I understand the motivation was to fix only your Red Hat environment, but if this breaks fastlane for macOS users, then we need to batch all changes in a single PR.
I'm just raising the question here, though, it's actually not 100% clear to me whether it'd break or not. I don't fully grasp this portion of the codebase yet 😬 so any points would be helpful here @jaysoffian @lacostej 🙇
Thanks 🙏
Okay, I looked further at the code. These are totally different things. The change I made in this PR is to create CSRs with a SHA-256 digest. This is unrelated to
The output of the first looks like this:
In this case def self.sha1_fingerprint(path)
file_data = File.read(path.to_s)
cert = OpenSSL::X509::Certificate.new(file_data)
return OpenSSL::Digest::SHA1.new(cert.to_der).to_s.upcase
rescue => error
UI.error(error)
UI.user_error!("Error parsing certificate '#{path}'")
end It then compares the two digests to see if the on-disk cert is the same as the one in the keychain. So no, this change won't break As well, since the So two totally unrelated and different use cases. One for the type of digest embedded in a CSR, the other for comparing on-disk certs to those in the keychain. |
Thanks for your thorough analysis @jaysoffian! Super helpful! Could you rebase your branch? I believe the issue with CI has been fixed in master already :) Thank you! |
2769669
to
1542109
Compare
Update the two places where Fastlane creates CSRs to use SHA-256 (sha256WithRSAEncryption). This signature algorithm is accepted by Apple and CSRs created using Keychain Access at least since Ventura use SHA-256. SHA-1 is increasingly deprecated by OS vendors which is how I noticed fastlane was still using SHA-1 when attempting to use `fastlane pem` under RedHat 9, which disables SHA-1 by default[^1]. [^1]: https://wiki.almalinux.org/release-notes/9.0.html#changelog
1542109
to
fcb69c7
Compare
Done. |
@rogerluan can this be merged? |
@lacostej can this be merged? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💪
Checklist
bundle exec rspec
from the root directory to see all new and existing tests passbundle exec rubocop -a
to ensure the code style is validci/circleci
builds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
Update the two places where Fastlane creates CSRs to use SHA-256 (sha256WithRSAEncryption). This signature algorithm is accepted by Apple and CSRs created using Keychain Access at least since Ventura use SHA-256.
SHA-1 is increasingly deprecated by OS vendors. I noticed fastlane was still using SHA-1 when attempting to use
fastlane pem
under RedHat 9 which disables SHA-1 by default1.I noticed fastlane was still using SHA-1 when attempting to use
fastlane pem
under RedHat 9 which disables SHA-11. Updating fastlane to SHA-256 allows it to generate CSR under RedHat 9 without having to alter the RedHat 9 default crypto policy1. SHA-256 is also what Keychain Access uses for CSRs at least since Ventura.Description
Update the two copies of the
create_certificate_signing_request
function to useOpenSSL::Digest::SHA256.new
instead ofOpenSSL::Digest::SHA1.new
Testing Steps
I tested by running the new code under RedHat 9 and macOS Ventura using
irb
.I inspected the CSR generated by the new code using
openssl req -noout -text
and verified that the "Signature Algorithm" is nowsha256WithRSAEncryption
which matches the algorithm used in CSRs generated by Keychain Access under macOS Ventura.Footnotes
https://wiki.almalinux.org/release-notes/9.0.html#changelog ↩ ↩2 ↩3