OpenAFS Master Repository branch, openafs-stable-1_8_x, updated. openafs-stable-1_8_13_2-128-gfdfbadd

Fri, 29 Aug 2025 21:50:18 -0700 

The following commit has been merged in the openafs-stable-1_8_x branch:
commit fdfbadd0daef0d05b578f150e84368f03a2e0e81
Author: Andrew Deason <adea...@sinenomine.net>
Date:   Thu Aug 21 10:55:10 2025 -0500

    DARWIN: Handle ',' and '/' openssl x509 delims
    
    Our logic for extracting MACOS_TEAM_ID from our application signing cert
    assumes that the output from 'openssl x509 -noout -subject' looks like
    this:
    
        $ security find-certificate -c xxxx -p | openssl x509 -noout -subject
        subject=UID=SKMME9E2Y8, CN=Developer ID Application: Org (SKMME9E2Y8), 
OU=SKMME9E2Y8, O=org, C=US
    
    That is, the components are delimited by commas.
    
    But current macOS uses an 'openssl' from LibreSSL, and the output looks
    like this:
    
        $ security find-certificate -c xxxx -p | openssl x509 -noout -subject
        subject= /UID=SKMME9E2Y8/CN=Developer ID Application: Org 
(SKMME9E2Y8)/OU=SKMME9E2Y8/O=Org/C=US
    
    That is, the components are delimited by slashes. So currently, this
    build logic extracts the MACOS_TEAM_ID as something like
    "SKMME9E2Y8/O=Org/C=US", which is incorrect. Nothing notices the
    error, and the build proceeds, eventually building binaries with the
    garbage team id, and so our XPC security checks may always fail for the
    menu helper and backgrounder.
    
    To fix this, try to accommodate both output styles, delimited by either
    commas or slashes. Add a check to see if the extracted MACOS_TEAM_ID
    contains extra components, and fail if so, since that suggests we didn't
    extract it properly.
    
    Reviewed-on: https://gerrit.openafs.org/16517
    Tested-by: BuildBot <build...@rampaginggeek.com>
    Reviewed-by: Cheyenne Wills <cwi...@sinenomine.net>
    Reviewed-by: Mark Vitale <mvit...@sinenomine.net>
    Tested-by: Mark Vitale <mvit...@sinenomine.net>
    Reviewed-by: Michael Meffie <mmef...@sinenomine.net>
    (cherry picked from commit 1877621fbcaab3c441c89beff005316602b9ff6d)
    
    Change-Id: I31c210b7196f11886bcbc3d2fc3b96962111b2ab
    Reviewed-on: https://gerrit.openafs.org/16520
    Tested-by: BuildBot <build...@rampaginggeek.com>
    Reviewed-by: Michael Meffie <mmef...@sinenomine.net>
    Reviewed-by: Andrew Deason <adea...@sinenomine.net>
    Reviewed-by: Benjamin Kaduk <ka...@mit.edu>

 src/cf/options.m4 | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

-- 
OpenAFS Master Repository
_______________________________________________
OpenAFS-cvs mailing list
OpenAFS-cvs@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-cvs

Reply via email to