apple-pki-bundle @2018-09-27_2+additional_pki_bundle+system_roots_keychain build failure- portfile/distfile discrepancy

[jrandall814]

After upgrading my M1 2020 Mac Mini to Mac OS 13.0.1 I upgraded my MacPorts installation to 2.8.0-13-Ventura. A dependency of the privoxy package that I sought to reinstall is apple-pki-bundle. But this package fails to build because of discrepancies between the values of the rmd160 checksum, sha256 checksum and size given or calculated for the AppleISTCA2G1.cer key in the Portfile and the Distfile.

[jrandall814]

standard output and standard error from the sudo port install apple-pki-bundle

[jrandall814]

log associated with the sudo port install apple-pki-bundle command

[essandess (Steve Smith)]

I do not observe this issue with:

sudo port -s destroot apple-pki-bundle

PKI certificates are quite fixed things, so a checksum mismatch would be remarkable. Are you sure that you're actually downloading the cert?

[jrandall814]

When I execute 'sudo port -s destroot apple-pki-bundle' there is generated the same stdout and stderr that I attached above in the first attached file (out.txt). I confess that I don't know how to verify that I am actually downloading the cert. When I simply execute 'sudo fetch apple-pki-bundle' no error is reported. And the expected as well as the calculated checksums for the the AppleISTCA2G1.cer cert are reproduced identically to those in the attached install_log.txt file upon each command execution. I do note that the stdout my 'sudo port install apple-pki-bundle' always reports that its execution begins by attempting to fetch 'apple-pki-bundle-2018-09-27_2+additional_pki_bundle+system_roots_keychain.darwin_22.noarch.tbz2' successively from each of three different repositories, i.e., ​https://packages.macports.org ​http://fco.it.packages.macports.org and ​https://fra.de.packages.macports.org And when I navigate to these URLs none of them has a variant of the sought-after file for darwin_22; the latest version in each bears the name 'apple-pki-bundle-2018-09-27_2+additional_pki_bundle+system_roots_keychain.darwin_21.noarch.tbz2'.

[jrandall814]

In the third sentence above I meant to say 'sudo port fetch apple-pki-bundle'.

[essandess (Steve Smith)]

Sorry, still cannot replicate with:

sudo port -s destroot apple-pki-bundle +additional_pki_bundle +system_roots_keychain

What do you see when you run this command?

openssl x509 -noout -fingerprint -sha1 -in /opt/local/var/macports/distfiles/apple-pki-bundle/AppleISTCA2G1.cer
sha1 Fingerprint=8E:83:21:CA:08:B0:8E:37:26:FE:1D:82:99:68:84:EE:B5:F0:D6:55

[jrandall814]

output is sha1 Fingerprint=E1:50:84:CB:E7:2C:72:01:C9:F9:F1:ED:5D:B3:6E:45:DE:87:79:1B

Shouldn't one of the three repositories from which I keep attempting to fetch

'apple-pki-bundle-2018-09-27_2+additional_pki_bundle+system_roots_keychain.darwin_22.noarch.tbz2'

actually have that file available for the fetch?

[essandess (Steve Smith)]

That's the issue. Different certs. You must be downloading the current one. I see that the one I'm downloading is expired:

openssl x509 -in /opt/local/var/macports/distfiles/apple-pki-bundle/AppleISTCA2G1.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 146036 (0x23a74)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
        Validity
            Not Before: Jun 16 15:42:02 2014 GMT
            Not After : May 20 15:42:02 2022 GMT
        Subject: CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US

When I do a checksum, port grabs everything from ​https://distfiles.macports.org/apple-pki-bundle, not source.

sudo port clean --all apple-pki-bundle
sudo port -s checksum apple-pki-bundle +additional_pki_bundle +system_roots_keychain
…
--->  Attempting to fetch AppleISTCA2G1.cer from https://distfiles.macports.org/apple-pki-bundle

That's not correct, but I don't know what's wrong. I'll ask on macports-dev@….

Would you please run this command and verify that you have an up-to-date certificate?

openssl x509 -in /opt/local/var/macports/distfiles/apple-pki-bundle/AppleISTCA2G1.cer -text -noout

[jrandall814]

Yes, I do: Certificate:

Data:

Version: 3 (0x2) Serial Number:

71:b3:ba:d2:8d:8c:26:78:f8:38:8d:ec:6f:23:7a:d5:ce:2c:30:cc

Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Root CA Validity

Not Before: Apr 28 21:38:00 2022 GMT Not After : May 7 00:00:00 2025 GMT

Subject: CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US

[jrandall814]

I just edited my local portfile for apple-pki-bundle so that now its checksums and size for AppleISTCA2G1.cer are the values found in its local distfile. So at least I could manage to install apple-pki-bundle and its dependent, privoxy.

[jrandall814]

suggested patch

[essandess (Steve Smith)]

Thanks. Now I have a checksum error because "source" is still being downloaded from ​https://distfiles.macports.org/apple-pki-bundle. I'll need some help to fix this issue.

[essandess (Steve Smith)]

Please see: ​https://github.com/macports/macports-ports/pull/16674

[essandess (Steve Smith)]

In 8d3a43074a15c55b9ba61e8e929cd468457b6e12/macports-ports (master):

apple-pki-bundle: Update to version 2022-11-12

• Fixes: #66230