`rig resolve` generates a rustls warning on macOS Sonoma #278

jabenninghoff · 2025-04-19T16:14:20Z

Running rig resolve generates a warning. This warning does not appear on my laptop running macOS Sequoia, but does generate the warning on macOS Sonoma 14.7.5 (which is still supported).

$ rig --version
RIG -- The R Installation Manager 0.7.1
$ rig resolve release
[WARN] rustls failed to parse DER certificate InvalidCertificate(BadEncoding) Certificate(b"0\x82\x02\xfb0\x82\x01\xe3\xa0\x03\x02\x01\x02\x02\x01\x010\x0b\x06\t*\x86H\x86\xf7\r\x01\x01\x0b0,1\x1d0\x1b\x06\x03U\x04\x03\x0c\x14com.apple.servermgrd1\x0b0\t\x06\x03U\x04\x06\x13\x02US0\x1e\x17\r110928001016Z\x17\r120927001016Z0,1\x1d0\x1b\x06\x03U\x04\x03\x0c\x14com.apple.servermgrd1\x0b0\t\x06\x03U\x04\x06\x13\x02US0\x82\x01\"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\0\x03\x82\x01\x0f\00\x82\x01\n\x02\x82\x01\x01\0\xc0\xf6\xb9,\x94\xc24\xd5X\xfdca\xe1Y\x7f\x8a\xeb\x80\x18\xf3\x8dH'^\xf5\\c\xe93M\xdb-\x1b]\xd3\x9a\xa3q\x85\x16|\xf8|\xd0\xc6\xce$W\xa4ZH]\x9dwW\xbf,\xfc\xadx\x82\xc7\xf5\xd2\x82\xb0\xb3\xe3*5\xed\x02\xd9\xe7\t%#\xdc\xde\xc1\"\x97\x83\x0f'\xa2z\xf0\xca:\x88\x98\xc1\x01\xafC\xa8$\xa3\xfcw\x98\xd0\x95A\x85\xadg\xd3\xf2o\xae9\x08%\xa3~\x19\x0e,\x8e2\x1f\x90`\x99\xd2\xfd\x94\xcd\xd8\x06<|\xbc\x91\xd0\xcf\xb0\xb1\xe7*\xce\x8dE\tVc\xe3\x9b\xa3\xb2\x8b\x9f\xdbV\xcaW':\xfdhT\xf7\xd5\x89l,z\xff+\xd2\x0eK\x19\x19\xf1r\xdf\xd5\x10\xef&\x92\xd5=\xd6/\xc6\x86\xbd\x85oPg\x87\xa4\x8br6\xe6\x13\x96\x92\xc1\xfd&u\0\xa4\xc3+\xd02h\xc9\xf2\xd43\x8d\x1fR`\xffb\x81@\x95\xa1vZTBghrXw\xa1,\xbcn\x9d\x19\xf17\xdc\xe9\x81\x05\xad\x9a-!\xd7\x03\x02\x03\x01\0\x01\xa3*0(0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x07\x800\x16\x06\x03U\x1d%\x01\x01\xff\x04\x0c0\n\x06\x08+\x06\x01\x05\x05\x07\x03\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\0\x03\x82\x01\x01\0\xbc\xf5Uuj\x86\xb62?|\x87QT\xb5\xcbZ,r\x97\xaaF}\x8ey\x7f\x99\xcc\x13U\x91\r{\xd1z ~\xe4M\x18\x14r?O=\xd7\xc8&\x1e\xfdnk\xb3\xc9N\xb1\xfa5\xa2r\x06\xcb\xca\x98\xa0\x9a\xe7\x14\x16\x1as\xdc\xba,\xd6\xb8I\x10\x04~\xa4\xb8Y\xb0\xa2i\x19r\xc92\xab\xb6>\x12\xb5\xdd\xd7\x010u>yb`t\x07\x13\x9c2\xa7\xca1gMc>\xf7/\xc1]\x850\x9f\x8b<\r\x8b\xd8c\x06\xaf\xf7\xda\nG\xe5\x9b\x89~\xbd\xc6\x13\xbcM\xe7x+\xc2\x14\x06\x82\x83w\xd8}\xc4\xf4\x90\xa5\xc6$'\xf4\xdd'\xfd\xe3o\xe2\xf8s:\xfe7\x99c]\xd6\x89B\xb0\x90c\x1f\x16hx\x8bV\xdf\x07T\xc38\xdc\x06\xa3K=\x99\xf8n\xa0\x02\xc7\xa03\xa7#\x1a\xf9\rL\xde\x9e\xb9\x97\0\xbb\xc0\t\xa4\x02Cx2j\xdb7\\\xfcS\xc5\xde\xc65\xb7\xee\x81n\x8f.\xa4y\xfa\xba\x89\xa2t\xd7\xe7\x06u\x94\xde\xa8N")
[WARN] rustls failed to parse DER certificate InvalidCertificate(BadEncoding) Certificate(b"0\x82\x02\xfb0\x82\x01\xe3\xa0\x03\x02\x01\x02\x02\x01\x010\x0b\x06\t*\x86H\x86\xf7\r\x01\x01\x0b0,1\x1d0\x1b\x06\x03U\x04\x03\x0c\x14com.apple.servermgrd1\x0b0\t\x06\x03U\x04\x06\x13\x02US0\x1e\x17\r111003031151Z\x17\r121002031151Z0,1\x1d0\x1b\x06\x03U\x04\x03\x0c\x14com.apple.servermgrd1\x0b0\t\x06\x03U\x04\x06\x13\x02US0\x82\x01\"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\0\x03\x82\x01\x0f\00\x82\x01\n\x02\x82\x01\x01\0\xc0\x8f\x7f\0\x89gS\n\xcf \x9d\x89\xca m\xb1y\xae\t\xa0[\xd2\x93\xaaT*2\xe0\x0b6\x8b\xb7\xab\x92i\xb9\xeb9P\x9a\x0e\x92KH\xa8W\xb6jnM;\xf8A\x9c8\x0b{\xbb+\x9dB<)\xf1\xdd\x1f\0\x06\xe4\xf1\x07s\x97\xcc\xe2\xf9\x82\xa6i\xa1\xbc<L\xf8#^\xdc\x80$nZB\x9d\xbe\xa9\xec\x1e^\x9a\xc8\x04\xf1\x01\xb4\xbc\xe8f\xf9\x9ej\xcf\xc6e\x96\xe2\xa4)\xac\xd4\xd3]6\x97\xb3x\xc4\x86\xa4\x05\x07@\x921\x8d\xbd\x9bii\xe2\t\xc9\xf7\x96\x11\x1a\x8c\xa0K\xa0\x1a\xb8\xf4\xc3\x93o\x8f\x13\x19\x0cO\xcb3$zr\xc4\xe1\x8e\x0em\xaf\x0e\t6\x15O \xe7\x9b\x10H`\xba\x9e\xac\xa4\x87\xe2\x18\xb5w.\xe5\0F\xcd\xba\x85@\xa0\x06]M\xf1\xe0\x1ax\x19!\xe3b\x05\xf3|<\xc7\xfcg\xeb7\x99\x07(\x11\x1a#n\xfaI\x05\xb0nv\xcbW\xac\x1a\xc1\x0e\x13\x8c\xa0_\xd5!\x8fI\xbb\xcd@\xf4J\x0e\xac\x01\xe9\x02\x03\x01\0\x01\xa3*0(0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x07\x800\x16\x06\x03U\x1d%\x01\x01\xff\x04\x0c0\n\x06\x08+\x06\x01\x05\x05\x07\x03\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\0\x03\x82\x01\x01\0\x1b\xb65z+\x0e\xdaH]\xc1\x05\x87\x94\0n\xdb\x9fxq\xe0\x92Ft$R\xa5\x83\xf1\xf8e\xb7\x08\xad\xe7j,\r(\x1a\x94z\x10\xd1X\xee0^#\t\xf4\x90\xbfuD\x03\xf4!\xcf\xde\xaf\xc5\x85\xc3\xb0\x17f\xc8\xd4\x99\xdf\x88\xac\n\xe0R?o8\t\x18r\x0c\xaf\xa7g\xb9\xab\x9e\xeau~h\xc2\xfc\xa7\xa5?L\xbe(\xaav\x1e\x98\x8d\x91bAD\xb9\x1c\xf5C\xa8\xba^\x95\x88\x9d$E]}8\xd2\xf0\xf6\xf8\x0b\x19!~\x8a\x96Mv\xbc\xff\xa4ER\xa8W\x11\xa2P\x85\x16\xad\xd7\xfe\xdc\xc1\xca\xa5\x1d\x88:\x12H/E78\xf6I\x1c\xad\x9b!\xdaHR\xc8R@\xeb /\xd2x\xd3]#H\xc4=5\x1b\x05\xb5\x93\xde\xb9\xe3x\x9aT\xde\xd7\x18\xe8'\xc7\t**+\x7f\x89`\xad\xa7\x8d\x07\xd4\x85$\x7f\xa8P\x82\x1e\xec\x1c\xbbn\xa0\xb2X>\xc05{\xa7t\xab\x18\xa4m|}1\xa6\xc9\xd8~\xe0\xa1]\xec\xfa\xd83\x10V")
4.5.0 https://cran.rstudio.com/bin/macosx/big-sur-x86_64/base/R-4.5.0-x86_64.pkg

The text was updated successfully, but these errors were encountered:

jabenninghoff · 2025-04-26T15:06:00Z

Update: this seems to be related to the upgrade history of the macO 8000 S device. I have 3 different experiences across my 3 macOS systems:

Newest system, shipped with macOS 15 (Sequoia): no issues
Older system, upgraded to macOS 15 (Sequoia): issue above, rig generates a warning
Oldest system, upgraded to macOS 15 (Sequoia): fails, error below

$ rig resolve release
thread 'main' panicked at /Users/gaborcsardi/.cargo/registry/src/index.crates.io-6f17d22bba15001f/reqwest-0.11.27/src/async_impl/client.rs:1713:38:
Client::new(): reqwest::Error { kind: Builder, source: Custom { kind: Other, error: Error { code: -25262, message: "The Trust Settings Record was corrupted." } } }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Reverting to rig 0.7.0 resolves the issue for (3).

jabenninghoff · 2025-05-06T03:06:23Z

Update: I was able to fix both the panic ("The Trust Settings Record was corrupted.") and the warnings (rustls failed to parse DER certificate) by locating and deleting the offending certificates using Keychain Access, with help from vercel/turborepo#8330.

What I learned:

The issue is in rustls-native-certs, which will cause a panic if there is a "bad" certificate on the keychain. Thanks to a referenced Stack Exchange article, I was able to identify the offending cert using /usr/bin/security dump-trust-settings -d and delete it with Keychain Access with Show Expired Certificates on. The bad certificate reported as SecTrustSettingsCopyTrustSettings: The Trust Settings Record was corrupted. using security.
I was able to identify and remove the failed to parse DER certificate warning by finding and deleting the named certificates in the Keychain.
rustls-native-certs recommends using rustls-platform-verifier instead

TL;DR adding rustls-native-certs causes rig to fail or issue warnings if there are one or more "bad" certificates in the macOS keychain. I would expect that these would simply be ignored.

Would it be possible to try switching to rustls-platform-verifier? I exported and saved copies of the bad certificates and would be happy to test a new version.

jabenninghoff changed the title ~~rig resolve generates a rustls warning~~ rig resolve generates a rustls warning on macOS Sonoma Apr 19, 2025

gaborcsardi added the bug an unexpected problem or unintended behavior label May 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

`rig resolve` generates a rustls warning on macOS Sonoma #278

`rig resolve` generates a rustls warning on macOS Sonoma #278

Uh oh!

Uh oh!

rig resolve generates a rustls warning on macOS Sonoma #278

rig resolve generates a rustls warning on macOS Sonoma #278

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

`rig resolve` generates a rustls warning on macOS Sonoma #278

`rig resolve` generates a rustls warning on macOS Sonoma #278