[BUG]: Apple Certificate Fails to Install on macos-15

[shatodj]

New issue checklist

• I searched for existing GitHub issues
• I read pipeline troubleshooting guide
• I checked how to collect logs

Task name

InstallAppleCertificate@2

Task version

2

Issue Description

This is related to #19383, but I'm opening another issue for Azure pipeline task InstallAppleCertificate:

• macos-15.
• Xcode 16

I receive the following error in the pipeline task (there's a 50% chance this issue appears on certain cases):

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/<redacted>.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
Error outputting keys and certificates
<redacted>:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Could not find certificate from <stdin>
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: InstallAppleCertificate

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

macos-15

Relevant log output

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/<redacted>.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
Error outputting keys and certificates
<redacted>:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Could not find certificate from <stdin>
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: InstallAppleCertificate

Full task logs with system.debug enabled

No response

Repro steps

[pkennedy-nz]

We are experiencing the exact same issue after being forced to move from macOS-14 to macOS-15 due to Xcode 16 being removed from the macOS-14 image. Considered critical to get this fixed in macOS-15 as we are unable to build and distribute iOS apps at the moment.

[aleksandrlevochkin]

Hi @shatodj, @pkennedy-nz thanks for bringing this issue up, I believe it is caused by the recent removal of openssl 1.1 from macos images. Looks like this change is going to be reverted soon: actions/runner-images#10817 (comment)

Right now, it looks like agents with image versions with both openssl 1.1 and 3.0 may be assigned to execute tasks, I think it can be an explanation of why the issue does not reproduce consistently.

As a workaround for now, I suggest you try the approach described here: actions/runner-images#10703 (comment)