Fixes install-certificate expiry check (#151)

simonbs · web-flow · commit a91d31d488b5 · 2026-01-30T14:47:57.000+01:00
* Fixes indentation

* Adds logging

* WIP

* Improves logging

* Fixes error reporting

* Removes debug logging

* Removes debug logging

* Removes OPENSSL_PKCS12_OUTPUT
diff --git a/install-certificate/action.yml b/install-certificate/action.yml
@@ -32,13 +32,19 @@ runs:
         KEYCHAIN_PATH="/Users/$(whoami)/Library/Keychains/${KEYCHAIN_NAME}"
         KEYCHAIN_DB_PATH="${KEYCHAIN_PATH}-db"
         if [ -z "$CERTIFICATE_PASSWORD" ]; then
-          echo "The password for the certificate cannot be empty."
+          echo "::error::The password for the certificate cannot be empty."
           exit 1
         fi
         op read --out-file $CERTIFICATE_FILE_PATH "${{ inputs.certificate-op-reference }}"
         CERTIFICATE_PEM_PATH=$(mktemp)
-        if ! openssl pkcs12 -in "$CERTIFICATE_FILE_PATH" -clcerts -nokeys -passin pass:"$CERTIFICATE_PASSWORD" -out "$CERTIFICATE_PEM_PATH" >/dev/null 2>&1; then
-          echo "Failed to read certificate file. Check that the certificate and password are correct."
+        OPENSSL_VERSION=$(openssl version)
+        if echo "$OPENSSL_VERSION" | grep -qE 'OpenSSL 3'; then
+          OPENSSL_PKCS12_FLAGS="-legacy"
+        else
+          OPENSSL_PKCS12_FLAGS=""
+        fi
+        if ! openssl pkcs12 $OPENSSL_PKCS12_FLAGS -in "$CERTIFICATE_FILE_PATH" -clcerts -nokeys -passin pass:"$CERTIFICATE_PASSWORD" -out "$CERTIFICATE_PEM_PATH" 2>&1; then
+          echo "::error::Failed to read certificate file. Check that the certificate and password are correct."
           rm -f "$CERTIFICATE_PEM_PATH"
           exit 1
         fi
