Fix adding certificates with empty password to keychain on macOS 15.1

codemagic-ci-cd · Nov 6, 2024 · 94915e9 · 94915e9
1 parent 77f1cc9
commit 94915e9
Showing 4 changed files with 26 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+Version 0.54.2
+-------------
+
+TDB
+
 Version 0.54.1
 -------------
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "codemagic-cli-tools"
-version = "0.54.1"
+version = "0.54.2"
 description = "CLI tools used in Codemagic builds"
 readme = "README.md"
 authors = [

diff --git a/src/codemagic/__version__.py b/src/codemagic/__version__.py
@@ -1,5 +1,5 @@
 __title__ = "codemagic-cli-tools"
 __description__ = "CLI tools used in Codemagic builds"
-__version__ = "0.54.1.dev"
+__version__ = "0.54.2.dev"
 __url__ = "https://github.com/codemagic-ci-cd/cli-tools"
 __licence__ = "GNU General Public License v3.0"
diff --git a/src/codemagic/tools/keychain.py b/src/codemagic/tools/keychain.py
@@ -37,7 +37,7 @@ class KeychainError(cli.CliAppException):
     pass
 
 
-class _CertificateDataDecodeError(IOError):
+class _SecurityKeychainPkcs12FormatImportError(IOError):
     pass
 
 
@@ -392,7 +392,7 @@ def _add_certificate(
                 allowed_applications=allowed_applications,
                 import_format="pkcs12",
             )
-        except _CertificateDataDecodeError:
+        except _SecurityKeychainPkcs12FormatImportError:
             # Attempt import again, but now using different format specifier.
             self._run_add_certificate_process(
                 certificate_path=certificate_path,
@@ -434,17 +434,25 @@ def _run_add_certificate_process(
         process = self.execute(import_cmd, obfuscate_patterns=obfuscate_patterns)
 
         if process.returncode == 0:
-            return
-        elif "The specified item already exists in the keychain" in process.stderr:
-            # It is fine that the certificate is already in keychain
-            pass
-        elif import_format == "pkcs12" and "Unable to decode the provided data" in process.stderr:
+            return  # All good, certificate was successfully imported
+
+        if "The specified item already exists in the keychain" in process.stderr:
+            return  # It is fine that the certificate is already in keychain
+
+        if import_format == "pkcs12":
             # MacOS has not been very compliant with unencrypted PEM-formatted PKCS#12
             # containers generated by OpenSSL. But starting from macOS 15.0 security
-            # just rejects them with error message "Unable to decode the provided data".
-            raise _CertificateDataDecodeError()
-        else:
-            raise KeychainError(f"Unable to add certificate {certificate_path} to keychain {self.path}", process)
+            # just rejects them with the following message in STDERR stream:
+            # `security: SecKeychainItemImport: Unable to decode the provided data.`
+            if "Unable to decode the provided data" in process.stderr:
+                raise _SecurityKeychainPkcs12FormatImportError()
+            # On macOS 15.1 importing PKCS#12 containers that are exported from Keychain Access with
+            # empty password fails when using pkcs12 format specifier with this message in STDERR:
+            # "security: SecKeychainItemImport: The user name or passphrase you entered is not correct."
+            if "The user name or passphrase you entered is not correct" in process.stderr:
+                raise _SecurityKeychainPkcs12FormatImportError()
+
+        raise KeychainError(f"Unable to add certificate {certificate_path} to keychain {self.path}", process)
 
     def _find_certificates(self):
         process = self.execute(("security", "find-certificate", "-a", "-p", self.path), show_output=False)