Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate Issues on macOS 15 ("Sequoia") #324

Open
jeffhandley opened this issue Sep 14, 2024 · 1 comment
Open

Certificate Issues on macOS 15 ("Sequoia") #324

jeffhandley opened this issue Sep 14, 2024 · 1 comment
Labels
macOS .NET 6.0 .NET 8.0 .NET 9.0 PSA

Comments

@jeffhandley
Copy link
Member

jeffhandley commented Sep 14, 2024
edited
Loading

Certificate Issues on macOS 15 ("Sequoia")

This is a locked mirror of dotnet/runtime#106775. See that issue for discussion.

The CopyWithPrivateKey methods that combine a certificate with its associated private key fail on macOS 15 when using in-memory (ephemeral) keys. This failure is most commonly seen when creating new certificates via CertificateRequest.CreateSelfSigned or when loading a certificate and key from a PEM file (or files) with X509Certificate2.CreateFromPem, which utilize the affected methods.

Callers of these methods on macOS 15 ("Sequoia") will receive a CryptographicException, specifically Interop+AppleCrypto+AppleCommonCryptoCryptographicException: The specified item is no longer valid. It may have been deleted from the keychain. The dotnet dev-certs https command relies on CertificateRequest.CreateSelfSigned and fails with this error.

This issue affects .NET 6, .NET 8, and .NET 9. The issue is addressed in the upcoming .NET 6.0.34, .NET 8.0.10, and 9.0.0-rc2 releases, scheduled for release in October 2024.

Root Cause

macOS 15 uses a different status code to indicate a key is not in a Keychain than prior versions do.

Workarounds

If you have not already upgraded to macOS 15 from a prior version and use .NET, you are not impacted by this issue. If you are planning to upgrade to macOS 15, the workaround is to upgrade to .NET 6.0.34. .NET 8.0.10, or .NET 9.0.0-rc2 (scheduled for October 2024) prior to upgrading to macOS 15.

Loading a certificate and its associated private key from a PKCS#12/PFX are not affected. If you are using an application that supports loading a certificate (and associated private key) by either PFX or PEM, converting your PEM contents to PFX - and updating configuration appropriately - may unblock you.
@jeffhandley
Copy link
Member Author

The description has been edited to reflect that this issue affects .NET 6, .NET 8, and .NET 9. The issue is addressed in the upcoming .NET 6.0.34, .NET 8.0.10, and 9.0.0-rc2 releases, scheduled for release in October 2024.

@dotnet dotnet locked and limited conversation to collaborators Sep 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
macOS .NET 6.0 .NET 8.0 .NET 9.0 PSA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeffhandley @terrajobst