certmgr System.UnauthorizedAccessException: Access to the path "/usr/share/.mono" is denied.

[joakimhew]

Steps to Reproduce

1. Have SIP enabled
2. Run sudo certmgr -add -c -v -m Trust mycert.pfx

Current Behavior

On MacOS the X509Store used in certmgr.cs tries to access a folder protected by SIP and will throw an UnauthorizedAccessException as long as SIP protection is enabled.

Expected Behavior

Suggestions for expected behavior:

1. Don't use a SIP protected folder to store certificates (Preferred)
2. Check for SIP to notify user that it needs to be disabled.

On which platforms did you notice this

[x] macOS
[ ] Linux
[ ] Windows

Version Used:

Mono JIT compiler version 5.16.0.220 (2018-06/bb3ae37d71a Fri Nov 16 17:12:11 EST 2018)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
TLS: normal
SIGSEGV: altstack
Notification: kqueue
Architecture: amd64
Disabled: none
Misc: softdebug
Interpreter: yes
LLVM: yes(3.6.0svn-mono-release_60/0b3cb8ac12c)
GC: sgen (concurrent by default)

Stacktrace

Mono Certificate Manager - version 5.16.0.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Found key for certificate: CN=STSingaporeDevTest
Access to the machine 'Trust' certificate store has been denied.
System.UnauthorizedAccessException: Access to the path "/usr/share/.mono" is denied.
  at System.IO.Directory.CreateDirectoriesInternal (System.String path) [0x0005e] in <98fac219bd4e453693d76fda7bd96ab0>:0
  at System.IO.Directory.CreateDirectory (System.String path) [0x0008f] in <98fac219bd4e453693d76fda7bd96ab0>:0
  at System.IO.DirectoryInfo.Create () [0x00000] in <98fac219bd4e453693d76fda7bd96ab0>:0
  at (wrapper remoting-invoke-with-check) System.IO.DirectoryInfo.Create()
  at System.IO.Directory.CreateDirectoriesInternal (System.String path) [0x00036] in <98fac219bd4e453693d76fda7bd96ab0>:0
  at System.IO.Directory.CreateDirectory (System.String path) [0x0008f] in <98fac219bd4e453693d76fda7bd96ab0>:0
  at System.IO.DirectoryInfo.Create () [0x00000] in <98fac219bd4e453693d76fda7bd96ab0>:0
  at (wrapper remoting-invoke-with-check) System.IO.DirectoryInfo.Create()
  at System.IO.Directory.CreateDirectoriesInternal (System.String path) [0x00036] in <98fac219bd4e453693d76fda7bd96ab0>:0
  at System.IO.Directory.CreateDirectory (System.String path) [0x0008f] in <98fac219bd4e453693d76fda7bd96ab0>:0
  at Mono.Security.X509.X509Store.CheckStore (System.String path, System.Boolean throwException) [0x00020] in <21a4abcc52e44877869c07dd17362a52>:0
  at Mono.Security.X509.X509Store.Import (Mono.Security.X509.X509Certificate certificate) [0x00000] in <21a4abcc52e44877869c07dd17362a52>:0
  at Mono.Tools.CertificateManager.Add (Mono.Tools.CertificateManager+ObjectType type, Mono.Security.X509.X509Store store, System.String file, System.String password, System.Boolean verbose) [0x00027] in <f406eeed190146d283a42513ebe4b7d1>:0
  at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00183] in <f406eeed190146d283a42513ebe4b7d1>:0

[EgorBo]

duplicates (?) #11043
as a workaround you can store them in user-level folder (omit the -m flag)

[marek-safar]

Yeah, it's related to #11043