Fix certificates exporting with LibreSSL (#427)

CHANGELOG.md

@@ -1,3 +1,9 @@
+Version 0.53.7
+-------------
+
+**Bugfixes**
+- Fix saving Apple code signing certificates to disk when using LibreSSL 3.0.0+. [PR #427](https://github.com/codemagic-ci-cd/cli-tools/pull/427)
+
 Version 0.53.6
 -------------
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "codemagic-cli-tools"
-version = "0.53.6"
+version = "0.53.7"
 description = "CLI tools used in Codemagic builds"
 readme = "README.md"
 authors = [

src/codemagic/__version__.py

@@ -1,5 +1,5 @@
 __title__ = "codemagic-cli-tools"
 __description__ = "CLI tools used in Codemagic builds"
-__version__ = "0.53.6.dev"
+__version__ = "0.53.7.dev"
 __url__ = "https://github.com/codemagic-ci-cd/cli-tools"
 __licence__ = "GNU General Public License v3.0"

src/codemagic/models/certificate_p12_exporter.py

@@ -2,7 +2,6 @@
 
 import contextlib
 import pathlib
-import re
 import shutil
 import subprocess
 import tempfile
@@ -16,7 +15,6 @@
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives._serialization import PrivateFormat
 from cryptography.hazmat.primitives.serialization import pkcs12
-from packaging.version import Version
 
 from codemagic.mixins import RunningCliAppMixin
 from codemagic.mixins import StringConverterMixin
@@ -29,39 +27,45 @@
 
 
 class _OpenSsl:
+    __SUPPORTS_NOENC__: Optional[bool] = None
+
     def __init__(self):
         self._executable = shutil.which("openssl")
 
     def ensure_installed(self):
         if self._executable is None:
             raise IOError("OpenSSL executable is not present on system")
 
-    def get_version(self) -> Optional[Version]:
-        if not self._executable:
-            return None
+    def _is_noenc_flag_supported(self) -> bool:
+        """
+        OpenSSL version 3.0.0 deprecated option `-nodes` for disabling encryption
+        when invoking `openssl pkcs12`. It is replaced with `-noenc`.
+        See https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html
 
-        try:
-            version_output = subprocess.check_output([self._executable, "version"])
-        except subprocess.CalledProcessError:
-            version_output = b""
+        Vanilla macOS (at least up to version 14.6) however still bundles `openssl`
+        executable that is using LibreSSL version that does not support `-noenc`.
 
-        version_match = re.search(r"\d+\.\d+\.\d+", version_output.decode(errors="ignore"))
-        if not version_match:
-            return None
+        Check the `-noenc` support by just parsing help message.
+        """
+
+        if self.__SUPPORTS_NOENC__ is None:
+            completed_process = subprocess.run(
+                (self._executable, "pkcs12", "-help"),
+                capture_output=True,
+                check=False,
+            )
+            # Check both stdout and stderr because LibreSSL doesn't have help commands per-se.
+            # Execution fails, and it just outputs "unknown option '-help'" along with full
+            # command usage to stderr.
+            self.__SUPPORTS_NOENC__ = b"-noenc" in completed_process.stdout or b"-noenc" in completed_process.stderr
 
-        return Version(version_match.group())
+        return self.__SUPPORTS_NOENC__
 
     @property
     def no_encryption_flag(self) -> Literal["-nodes", "-noenc"]:
-        # Starting from OpenSSL version 3.0.0 `-nodes` is deprecated for disabling encryption
-        # when invoking `openssl pkcs12`. It is replaced with `-noenc`.
-        # See https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html
-
-        openssl_version = self.get_version()
-        if openssl_version and openssl_version < Version("3.0.0"):
-            # Use legacy flag only if we are sure that the version is earlier than 3.0.0
-            return "-nodes"
-        return "-noenc"
+        if self._is_noenc_flag_supported():
+            return "-noenc"
+        return "-nodes"
 
 
 class P12Exporter(RunningCliAppMixin, StringConverterMixin):