Skip to content

Wrap signing certificate password in single quotes to prevent corruption #984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 1, 2025
Merged

Wrap signing certificate password in single quotes to prevent corruption #984

merged 1 commit into from
Nov 1, 2025

Conversation

@per1234
Copy link
Contributor

@per1234 per1234 commented Nov 1, 2025

Wrap signing certificate password in single quotes to prevent corruption

High quality passwords may contain characters with special treatment by the shell (e.g., $).

The release workflows contain a command that imports the macOS code signing certificate to the runner machine's keychain. The command references a GitHub Actions secret that contains the password of the certificate.

Previously, that reference was wrapped in double quotes. This resulted in the password string being subject to shell expansions. If the password contained characters that incidentally resemble shell code, this resulted in the corruption of the password, nd thus a spurious failure of the release workflow:

security: SecKeychainItemImport: The user name or passphrase you entered is not correct.

@per1234
Wrap signing certificate password in single quotes to prevent corruption
c53daac 
High quality passwords may contain characters with special treatment by the shell (e.g., $).

The release workflows contain a command that imports the macOS code signing certificate to the runner machine's
keychain. The command references a GitHub Actions secret that contains the password of the certificate.

Previously, that reference was wrapped in double quotes. This resulted in the password string being subject to shell
expansions. If the password contained characters that incidentally resemble shell code, this resulted in the corruption
of the password, nd thus a spurious failure of the release workflow:

```
security: SecKeychainItemImport: The user name or passphrase you entered is not correct.
```
@per1234 per1234 self-assigned this Nov 1, 2025
@per1234 per1234 added topic: infrastructure Related to project infrastructure os: macos Specific to macOS operating system type: imperfection Perceived defect in any part of project labels Nov 1, 2025
@per1234 per1234 merged commit 3ce0b89 into arduino:main Nov 1, 2025
8 checks passed
@per1234 per1234 deleted the wrap-pw branch November 1, 2025 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@per1234 per1234

Labels

os: macos Specific to macOS operating system topic: infrastructure Related to project infrastructure type: imperfection Perceived defect in any part of project

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@per1234