mirror of
https://github.com/FiloSottile/mkcert.git
synced 2026-04-25 05:26:03 +03:00
[GH-ISSUE #415] Starting from Big Sur 11.3 certificate installation requires user interaction #272
Labels
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/mkcert#272
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @potatoqualitee on GitHub (Nov 16, 2021).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/415
First, thank you so much for mkcert! I love it and use it often ⭐
It seems that some default behavior may have changed in macOS 11, as mkcert isn't working out of the box on GitHub Actions with
macos-latest. (Ah yes, I just read an issue I referenced and it saidStarting from Big Sur 11.3 certificate installation requires user interaction, however it can be bypassed by using SecItemAdd method.)I'm getting the same error as reported in https://github.com/FiloSottile/mkcert/issues/94
And I was advised that I could compile some swift code to solve my issue, similar to what they did in this PR https://github.com/actions/virtual-environments/pull/3311.
By the time I was done, however, I wasn't using
mkcertanymore. I thought this would be a more appropriate solution to build into mkcert.@bilalbayasut commented on GitHub (Nov 22, 2021):
@potatoqualitee where is the add-certificate.swift ?
@potatoqualitee commented on GitHub (Nov 22, 2021):
add-certificate.swiftcan be found in GitHub's Runner repo at https://github.com/actions/virtual-environments/blob/main/images/macos/provision/configuration/add-certificate.swiftI got it to compile but then received a "Certificate can't be read" error when I ran it. Since I don't know swift or Apple security well enough, I ran a config override that is acceptable in a CI/CD process but not something I'd want run on my macbook, as it opens the keychain to all users.
@bilalbayasut commented on GitHub (Nov 23, 2021):
got it working here : https://github.com/FiloSottile/mkcert/issues/412#issuecomment-976429667
@FiloSottile commented on GitHub (Apr 26, 2022):
Does the Swift script still work as of macOS 12.3.1? I tried it and the
SecTrustSettingsSetTrustSettingsinvocation still pops up a dialog on my machine. Interestingly enough, the dialog doesn't support Touch ID while thesecurity-driven one does.By the way, that's a pretty bad script. The return code of
SecTrustSettingsSetTrustSettingsis not checked, the script will exit silently ifSecItemAddfails, and the certificate label is alwaysTestwhich I guess made sense ingithub.com/ibm-bluemix-mobile-services/bms-clientsdk-swift-security@c26988a7f5/Source/mca/internal/certificate/SecurityUtils.swiftbut not really in a standalone CLI tool.@potatoqualitee commented on GitHub (Apr 26, 2022):
Unfortunately, I have no idea. GitHub would know more. Because my use-case was CI/CD, I just used a command that was way too permissive.
@FiloSottile commented on GitHub (Apr 26, 2022):
Looks like GitHub is indeed still using this script. I tried figuring out why it works on their runners and couldn't reproduce uninteractive behavior. https://github.com/actions/virtual-environments/blob/main/images/macos/provision/configuration/configure-machine.sh
@potatoqualitee commented on GitHub (Apr 27, 2022):
I'll see who I can ping and let you know! Thanks for looking into this
@FiloSottile commented on GitHub (Apr 28, 2022):
Whatever is going on is inconsistent with the
SecTrustSettingsSetTrustSettingsdocs.https://developer.apple.com/documentation/security/1399119-sectrustsettingssettrustsettings
@timsutton found the relevant entry in the Big Sur release notes: https://github.com/FiloSottile/mkcert/issues/322#issuecomment-868822285
Which seems to imply this is intentional. I wonder if the Configurator path is viable for mkcert.
If this is intentional, though, it seems weird it can be defeated with
sudo security authorizationdb write com.apple.trust-settings.admin allowper https://github.com/actions/virtual-environments/issues/4519#issuecomment-970202641 (surely any malicious code would just do that?), and still doesn't explain why the script works for the GitHub runner setups.We could mention
com.apple.trust-settings.adminin the docs for CI/CD runners, but I'm worried about people just running it on their main machine.@timsutton commented on GitHub (Apr 28, 2022):
Hmm. The Configurator idea I think won't help here: besides requiring an extra download, Apple ID sign-in and "purchase" of a free app, you still can't install configuration profiles automatically starting with Big Sur either. Apple removed local profiles installation in the same OS release they also took away an officially-supported way to trust a root cert at the command line.
It seems weird about the workaround being possible, but I think there's a few possible reasons:
security authorizationdbdatabase is not a widely-known thingIt is possible to afterwards revert the authorizationdb settings for
com.apple.trust-settings.admintoo, but I agree this is probably better off a thing to just document as an unsupported workaround that a user should do on their own if they accept the risk. IIRC reverting the settings is a more complicated command because the original setting's rules is a more complicated dictionary structure.@potatoqualitee commented on GitHub (Apr 29, 2022):
Don't know if this is too severe, but a documented flag can also be added like
-forcemactrustand people can opt-in to the easier method in exchange for a few milliseconds of lessened security. I'd use that.@timsutton -- seems you may also be suggesting to wait for workarounds to appear? also valid and clean(er).
@timsutton commented on GitHub (Apr 29, 2022):
I was just suggesting that I think it's acceptable if the tool doesn't want to own a system configuration change that could be risky (and instead to document how users can do it at their own risk).
I'm not thinking 'risky' in the sense that one needs to temporarily reduce security policy, but risky in the sense that it's a change that Apple doesn't have a documented public API for and can easily break or change in the future, and that reverting the setting may take some time effort to get right. So if
mkcertdecided it would offer to make this change and also revert it afterwards, it'd be something to support in future years of macOS releases.IMO the trickier details of the authorization database is the rules nomenclature and how to revert them after changing the configuration. 'eskimo' (an Apple engineer who posts a lot of very helpful replies on Apple's developer forums) has some good details provided here. The "allow" setting is easy to apply, and I think it's straightforward enough to put back a rule for the right (by piping the correct plist into stdin of
security authorizationdb). But if those rules might change next OS release, that'd be not great. Maybe that's unlikely – but it's just the example of how this opens up a bit of a can of worms thanks to Apple having no simple and documented way to do this (outside of what they officially support for automation which is MDM-only).@sdavids commented on GitHub (Oct 30, 2023):
Sill an issue in Sonoma.
@BhaveshGujar111 commented on GitHub (Oct 7, 2024):
There is new issue occurs in new MacOS 15 version while adding certificates through MDM, before that it was working using below cmd
Using sudo prompt still asks to enter username and password
security authorizationdb write com.apple.trust-settings.admin allow ; security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" cert.cer ; security authorizationdb remove com.apple.trust-settings.admin