Skip to content

Use updated method for removing system-trusted certificate #190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use updated method for removing system-trusted certificate #190

wants to merge 1 commit into from

Conversation

djc
Copy link
Member

@djc djc commented Jun 20, 2025
edited
Loading

@djc djc requested review from cpu and ctz June 20, 2025 11:50
@ctz
Copy link
Member

ctz commented Jun 23, 2025

Seems this doesn't work?

+ CERT_HASH=D69B561148F01C77C54578C10926DF5B856976AD
+ security delete-certificate -Z D69B561148F01C77C[54](https://github.com/rustls/rustls-native-certs/actions/runs/15778295489/job/44477614779#step:11:55)578C10926DF5B856976AD /Library/Keychains/System.keychain
Unable to delete certificate matching "D69B561148F01C77C54578C10926DF5B856976AD"+ true

(Also surely "remove-trusted-cert" is the inverse of "add-trusted-cert"?)

@djc djc changed the title Use updated method for removing system-trusted certiciate Use updated method for removing system-trusted certificate Jun 23, 2025
@djc djc mentioned this pull request Jun 23, 2025
Open
14 tasks
@djc djc force-pushed the macos-testing branch from 3616d55 to 85c57b4 Compare July 11, 2025 12:02
cpu
cpu approved these changes Jul 11, 2025
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for figuring out the breakage 👍

integration-tests/macos.sh Outdated
printf "\n*** Remove test CA ***\n"
CERT_HASH=$(openssl x509 -in $ANY_CA_PEM -noout -fingerprint -sha1 | cut -d= -f2 | tr -d :)
security delete-certificate -Z "$CERT_HASH" /Library/Keychains/System.keychain || true
list | grep "$ANY_CA_SUBJECT" || true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of doing the list | grep here, should it be calling the assert_missing() helper on L19..25 instead? It seems to handle the set +e complications so the || true added here wouldn't be needed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a reasonable suggestion!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, the failure seems to indicate the removal didn't work:

+ grep 'OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign'
cert[93] = OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign

Looking closer the output earlier shows an error from security delete-certificate too:

+ security delete-certificate -Z D69B561148F01C77C54578C10926DF5B856976AD /Library/Keychains/System.keychain
Unable to delete certificate matching "D69B561148F01C77C54578C10926DF5B856976AD"+ true

@djc djc force-pushed the macos-testing branch from 85c57b4 to d0942d7 Compare July 11, 2025 12:56
@cpu cpu self-requested a review July 11, 2025 13:02
ctz
ctz reviewed Jul 11, 2025
View reviewed changes
integration-tests/macos.sh
list | grep "$ANY_CA_SUBJECT"
printf "\n*** Remove test CA ***\n"
CERT_HASH=$(openssl x509 -in $ANY_CA_PEM -noout -fingerprint -sha1 | cut -d= -f2 | tr -d :)
security delete-certificate -Z "$CERT_HASH" /Library/Keychains/System.keychain || true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this tidying up is not actually worth it. How about deleting reset and all calls to it? I assume GHA gives a fresh, fixed environment for every job run anyway...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume the goal here was to be able to run it on your local machine, in which case leaving it in the same state it came in would be useful...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctz ctz ctz left review comments

@cpu cpu Awaiting requested review from cpu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

macOS integration tests hang in CI
3 participants
@djc @ctz @cpu