register.sh: certificate "already trusted" check never matches on macOS — prompts for sudo every run #5
Description
Bug
The certificate fingerprint comparison in register.sh (line 39) never matches, causing the script to re-add the certificate to the System keychain and prompt for sudo on every invocation — even when the cert is already trusted.
Root cause
The check compares output from two commands that use incompatible formats:
if security find-certificate -c "localhost" -a -Z | grep -q "$(openssl x509 -in "$CERT_PATH" -fingerprint -noout | cut -d= -f2)"; thenopenssl x509 -fingerprint -noout (LibreSSL 3.3.6 on macOS) produces a colon-separated SHA-1 hash:
SHA1 Fingerprint=E1:59:85:CF:72:45:2E:D0:38:80:85:F5:1E:54:C0:79:76:6D:ED:FE
After cut -d= -f2, the grep pattern becomes: E1:59:85:CF:72:45:...
Meanwhile, security find-certificate -Z outputs hashes without colons:
SHA-256 hash: 96573A0BF58E77801B5C385DF184D0457C8DD40F2D76D5FAFCAAC2C4263D190C
SHA-1 hash: E15985CF72452ED0388085F51E54C079766DEDFE
The colon-separated string will never match the non-colon string, so the check always falls through to the else branch.
Impact
Users are prompted for their password via sudo on every run of register.sh, even when the certificate is already in the System keychain.
Suggested fix
Strip colons from the openssl output before comparing:
CERT_FINGERPRINT=$(openssl x509 -in "$CERT_PATH" -fingerprint -sha1 -noout | cut -d= -f2 | tr -d ':')
if security find-certificate -c "localhost" -a -Z | grep -qi "$CERT_FINGERPRINT"; thenOr use security verify-cert to check trust status directly:
if security verify-cert -c "$CERT_PATH" -p ssl 2>/dev/null; thenEnvironment
- macOS (LibreSSL 3.3.6)
/bin/bash3.2