Fix adding certificates with empty password to keychain on macOS 15.1 (…

…#436)
codemagic-ci-cd · Nov 6, 2024 · c444401 · c444401
1 parent 11e98a6
commit c444401
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,9 +2,9 @@ Version 0.54.2
 -------------
 
 **Bugfixes**
+- Fix action `keychain add-certificates` for macOS 15.1 when adding certificates with empty password. [PR #436](https://github.com/codemagic-ci-cd/cli-tools/pull/436)
 - Introduce a new retrying condition for `altool` commands as part of `app-store-connect` action when unexpected return codes occurs. [PR #435](https://github.com/codemagic-ci-cd/cli-tools/pull/435)
 
-
 Version 0.54.1
 -------------
 

diff --git a/src/codemagic/tools/keychain.py b/src/codemagic/tools/keychain.py
@@ -37,7 +37,7 @@ class KeychainError(cli.CliAppException):
     pass
 
 
-class _CertificateDataDecodeError(IOError):
+class _SecurityKeychainPkcs12FormatImportError(IOError):
     pass
 
 
@@ -392,7 +392,7 @@ def _add_certificate(
                 allowed_applications=allowed_applications,
                 import_format="pkcs12",
             )
-        except _CertificateDataDecodeError:
+        except _SecurityKeychainPkcs12FormatImportError:
             # Attempt import again, but now using different format specifier.
             self._run_add_certificate_process(
                 certificate_path=certificate_path,
@@ -434,17 +434,25 @@ def _run_add_certificate_process(
         process = self.execute(import_cmd, obfuscate_patterns=obfuscate_patterns)
 
         if process.returncode == 0:
-            return
-        elif "The specified item already exists in the keychain" in process.stderr:
-            # It is fine that the certificate is already in keychain
-            pass
-        elif import_format == "pkcs12" and "Unable to decode the provided data" in process.stderr:
+            return  # All good, certificate was successfully imported
+
+        if "The specified item already exists in the keychain" in process.stderr:
+            return  # It is fine that the certificate is already in keychain
+
+        if import_format == "pkcs12":
             # MacOS has not been very compliant with unencrypted PEM-formatted PKCS#12
             # containers generated by OpenSSL. But starting from macOS 15.0 security
-            # just rejects them with error message "Unable to decode the provided data".
-            raise _CertificateDataDecodeError()
-        else:
-            raise KeychainError(f"Unable to add certificate {certificate_path} to keychain {self.path}", process)
+            # just rejects them with the following message in STDERR stream:
+            # `security: SecKeychainItemImport: Unable to decode the provided data.`
+            if "Unable to decode the provided data" in process.stderr:
+                raise _SecurityKeychainPkcs12FormatImportError()
+            # On macOS 15.1 importing PKCS#12 containers that are exported from Keychain Access with
+            # empty password fails when using pkcs12 format specifier with this message in STDERR:
+            # "security: SecKeychainItemImport: The user name or passphrase you entered is not correct."
+            if "The user name or passphrase you entered is not correct" in process.stderr:
+                raise _SecurityKeychainPkcs12FormatImportError()
+
+        raise KeychainError(f"Unable to add certificate {certificate_path} to keychain {self.path}", process)
 
     def _find_certificates(self):
         process = self.execute(("security", "find-certificate", "-a", "-p", self.path), show_output=False)