MAC verification failed during PKCS12 import (wrong password?) / Azure Devops

Question

I'm using the InstallAppleCertificate@2 task from Azure DevOps but each time I try running it this error pops up

security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)

this is the task I'm using

- task: InstallAppleCertificate@2
inputs:
  certSecureFile: "${{ parameters.certificateSecureFileName }}"
  certPwd: "${{ parameters.certificatePassword }}"
displayName: "Install AdHoc Certificate"

I'm pretty sure the password is correct since I tried the same command locally and it worked. Password doesn't contain any special characters and is being stored in a variables group.

Any help would be appreciated. Thank you

Answer 1

The first link in @i_82 's answer says this:

The pkcs12 application now supports -legacy option that restores the previous default algorithms to support interoperability with legacy systems.

If you have control over the arguments when exporting, using the -legacy option should solve the problem without needing to install an old version of openssl:

openssl pkcs12 -export -legacy -out Certificate.p12 -in certificate.pem -inkey key.pem

Answer 2

OpenSSL 3.x changed its default algorithm in pkcs12. Which is not compatible with embedded Security frameworks in macOS/iOS. You could alternatively use OpenSSL 1.x.

See:

• Change default algorithms in PKCS12_create() and PKCS12_set_mac()
• MacOS security framework fails to import RFC 7292 compliant PKCS #12 v1.1 file into keychain using modern cyphers

To macOS users: If you're using openssl@3 command line tool installed via Homebrew, downgrade to [email protected] and modify your PATH in ~/.zshrc. For example:

export PATH="/opt/homebrew/opt/openssl@3/bin:$PATH"

export PATH="/opt/homebrew/opt/[email protected]/bin:$PATH"

If you're using openssl@3 libraries (libcrypto and libssl) with SecKeychainItemImport or SecPKCS12Import, have a look at the commit page above and do some modifications to your codes.