New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[match] OpenSSL 1.1.0 breaks backwards compatibility with old encrypted keys, etc #9542

Closed
pepasflo opened this Issue Jun 21, 2017 · 13 comments

Comments

@pepasflo

pepasflo commented Jun 21, 2017

Summary:

It looks like OpenSSL 1.1.0 changed something about the default settings they use to encrypt / decrypt files.

One possible work-around for this issue would be to modify match to do the following:

  • Try to decrypt the p12 file
  • If that fails, try it again using the older openssl behavior (by appending -md md5 to the openssl command)
  • If that also fails, treat it like an actual failure and continue with the existing (failure) codepath.

Details:

Here's a stackoverflow post which describes the issue: https://unix.stackexchange.com/a/344586

The default hash used by openssl enc for password-based key derivation changed in 1.1.0 to SHA256 versus MD5 in lower versions.

On a box with older openssl installed, match will work correctly. You can test this by manually decrypting one of match's p12 files using this command:

openssl aes-256-cbc -k password-goes-here -in ABCDE12345.p12 -out /dev/null -a -d

On a box with openssl 1.1.0+ installed, match will fail:

WARN [2017-06-19 16:49:50.76]: Enter the passphrase that should be used to encrypt/decrypt your certificates
WARN [2017-06-19 16:49:50.76]: This passphrase is specific per repository and will be stored in your local keychain
WARN [2017-06-19 16:49:50.76]: Make sure to remember the password, as you'll need it when you run match on a different machine
 [2017-06-19 16:49:50.76]: Passphrase for Git Repo: ********
 [2017-06-19 16:49:54.30]: Type passphrase again: ********
bad decrypt
140736683381696:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:535:
ERROR [2017-06-19 16:49:56.67]: Couldn't decrypt the repo, please make sure you enter the right password!

However, if you run the above openssl command and append -md md5 (which forces the old behavior), it will work, you can correctly decrypt a p12 file which was encrypted using the older version of openssl.

The new behavior of openssl is the equivalent of appending -md sha256.

New Issue Checklist

  • [ ] Updated fastlane to the latest version -- I am currently using 2.37.0
  • [ ] I have read the Contribution Guidelines

Environment

I am using fastlane 2.37.0.

🚫 fastlane environment 🚫

Stack

Key Value
OS 10.12.4
Ruby 2.4.0
Bundler? false
Git git version 2.11.0 (Apple Git-81)
Installation Source ~/.rvm/gems/ruby-2.4.0/bin/fastlane
Host Mac OS X 10.12.4 (16E195)
Ruby Lib Dir ~/.rvm/rubies/ruby-2.4.0/lib
OpenSSL Version OpenSSL 1.1.0e 16 Feb 2017
Is contained false
Is homebrew false
Is installed via Fabric.app false
Xcode Path /Applications/Xcode.app/Contents/Developer/
Xcode Version 8.3.2

System Locale

Variable Value
LANG en_US.UTF-8
LC_ALL
LANGUAGE

fastlane files:

No Fastfile found

No Appfile found

fastlane gems

Gem Version Update-Status
fastlane 2.37.0 🚫 Update available

Loaded fastlane plugins:

No plugins Loaded

Loaded gems
Gem Version
did_you_mean 1.1.0
executable-hooks 1.3.2
bundler-unload 1.0.2
rubygems-bundler 1.4.4
bundler 1.14.6
io-console 0.4.6
slack-notifier 1.5.1
CFPropertyList 2.3.5
claide 1.0.1
colored2 3.1.2
nanaimo 0.2.3
xcodeproj 1.4.4
multipart-post 2.0.0
word_wrap 1.0.0
tty-screen 0.5.0
babosa 1.0.2
colored 1.2
highline 1.7.8
commander-fastlane 4.4.4
http-cookie 1.0.3
faraday-cookie_jar 0.0.6
fastimage 2.1.0
gh_inspector 1.0.3
uber 0.0.15
representable 2.3.0
retriable 2.1.0
mime-types-data 3.2016.0521
mime-types 3.1
hurley 0.2
jwt 1.5.6
memoist 0.15.0
multi_json 1.12.1
os 0.9.6
signet 0.7.3
googleauth 0.5.1
httpclient 2.8.3
google-api-client 0.9.28
mini_magick 4.5.1
multi_xml 0.6.0
rubyzip 1.2.1
security 0.1.3
xcpretty-travis-formatter 0.0.4
faraday_middleware 0.11.0.1
json 2.1.0
excon 0.56.0
openssl 2.0.2
plist 3.3.0
faraday 0.12.1
unf 0.1.4
domain_name 0.5.20170404
terminal-table 1.8.0
unicode-display_width 1.2.1

generated on: 2017-06-21

@taquitos

This comment has been minimized.

Member

taquitos commented Jun 26, 2017

Fascinating. Thank you for the report.

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Aug 25, 2017

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Sep 3, 2017

This issue will be auto-closed because there hasn't been any activity for a few months. Feel free to open a new one if you still experience this problem 👍

@KrauseFx

This comment has been minimized.

Member

KrauseFx commented Sep 7, 2017

I think this is something we want to work on, right?

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Oct 22, 2017

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Oct 31, 2017

This issue will be auto-closed because there hasn't been any activity for a few months. Feel free to open a new one if you still experience this problem 👍

@fastlane fastlane locked and limited conversation to collaborators Dec 30, 2017

@janpio janpio reopened this Jan 20, 2018

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Mar 16, 2018

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Mar 24, 2018

This issue will be auto-closed because there hasn't been any activity for a few months. Feel free to open a new one if you still experience this problem 👍

@joshdholtz joshdholtz self-assigned this Mar 26, 2018

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Apr 25, 2018

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

@hjanuschka

This comment has been minimized.

Member

hjanuschka commented Apr 26, 2018

we had this in cryptex too.
the problem is that 1.1 defaults to sh256 where as 1.0 did a md5

see this PR: hjanuschka/fastlane-plugin-cryptex#10
adds support for setting the digest by hand, and defaulting to md5

anyone up for a PR? otherwise i ll go for it.

@hjanuschka

This comment has been minimized.

Member

hjanuschka commented Apr 26, 2018

ok forget my last comment, i ported the PR from cryptex to match, and then realized i havent pulled the repo for some time, and the md5 change is already there.

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Jun 4, 2018

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Jun 12, 2018

This issue will be auto-closed because there hasn't been any activity for a few months. Feel free to open a new one if you still experience this problem 👍

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.