darwin: Git LFS improperly adds certificates that cause SSL validation to fail

[stanhu]

Describe the bug

In our organization (example.org), we use the Jamf endpoint management system, which adds a self-signed SSL certificate with the CN:

CN=example.org JSS Built-in Certificate Authority

This causes SSL validation to fail when accessing Git LFS on example.org:

Post "https://example.org/group/project/info/lfs/locks/verify": x509: certificate signed by unknown authority

This is happening because:

1. When accessing example.org endpoints, Git LFS checks if there are any custom certificates to trust for that host.
2. It calls appendRootCAsForHostFromKeychain with the hostname example.org.
3. This function executes /usr/bin/security find-certificate -a -p -c example.org <keychain>, which performs a substring match on the Common Name.
4. If the System keychain contains a certificate with CN example.org JSS Built-in Certificate Authority, this gets returned by the fuzzy match.
5. Git LFS then adds this CA certificate to the trust store for connections to example.org.
6. When connecting to the real example.org, Git LFS is now trying to validate the official TLS certificate against this self-signed JAMF CA certificate, which will always fail.

To Reproduce

Steps to reproduce the behavior:

1. Install a self-signed cert that has a matching Git LFS server hostname in the CN.
2. Attempt to pull or push LFS files.

System environment

macOS

Output of git lfs env

git-lfs/3.6.1 (GitHub; darwin arm64; go 1.23.4)
git version 2.49.0

Endpoint=https://github.com/git-lfs/git-lfs.git/info/lfs (auth=none)
LocalWorkingDir=/Users/stanhu/github/git-lfs
LocalGitDir=/Users/stanhu/github/git-lfs/.git
LocalGitStorageDir=/Users/stanhu/github/git-lfs/.git
LocalMediaDir=/Users/stanhu/github/git-lfs/.git/lfs/objects
LocalReferenceDirs=
TempDir=/Users/stanhu/github/git-lfs/.git/lfs/tmp
ConcurrentTransfers=8
TusTransfers=false
BasicTransfersOnly=false
SkipDownloadErrors=false
FetchRecentAlways=false
FetchRecentRefsDays=7
FetchRecentCommitsDays=0
FetchRecentRefsIncludeRemotes=true
PruneOffsetDays=3
PruneVerifyRemoteAlways=false
PruneVerifyUnreachableAlways=false
PruneRemoteName=origin
LfsStorageDir=/Users/stanhu/github/git-lfs/.git/lfs
AccessDownload=none
AccessUpload=none
DownloadTransfers=basic,lfs-standalone-file,ssh
UploadTransfers=basic,lfs-standalone-file,ssh
GIT_APPEND_BUILD_OPTIONS=LIBPCREDIR=/opt/homebrew/opt/pcre2
GIT_EXEC_PATH=/opt/homebrew/opt/git/libexec/git-core
git config filter.lfs.process = "git-lfs filter-process"
git config filter.lfs.smudge = "git-lfs smudge -- %f"
git config filter.lfs.clean = "git-lfs clean -- %f"

Additional context

It isn't possible to make security find-certificate return a strict match, but we can make the Git LFS code perform filtering: #6037

[stanhu]

Alternatively, we can modify AppendCertsFromPEM to check the hostname. I don't see any other callers of that method.

UPDATE: It is used by appendCertsFromPEMData, so it's a bit more disruptive.

[chrisd8088]

@stanhu — I started a review of PR #6037 (which is beautifully written!), and prompted by your own comment, was led to investigate why we need to run /usr/bin/security find-certificate on macOS at all. Surely Git and curl don't bother to do this?

And indeed, they do not. We introduced this design back in 2016 in PRs #1787 and #1839 as a workaround for the behaviour of the Go crypto/x509 package at the time, which in Go v1.7 sometimes only verified TLS/SSL certificates against the certificate authorities found in the macOS SystemRootCertificates keychain and not the System or local keychains, depending on whether you compiled with cgo enabled and were running a macOS version newer than 10.8 (Mountain Lion) or not. This problem was reported in golang/go#14514 and golang/go#16532, and eventually resolved by the time of Go v1.9.

I'm still drafting PR #6049, which removes this legacy behaviour in the Git LFS client, and will include some notes on the testing I've been able to do on my own macOS system.

Still, I would really appreciate it if you can download the compiled git-lfs binary from the macOS artifact produced by that PR's CI jobs and try it on your system to see if it resolves the problem reported in this issue.

The binary should be in the macos-latest Zip archive available from the "Artifacts" section at the bottom of the CI job run's Summary page. If you're able to install the git-lfs binary, or reference it directly by setting your PATH to find it, and then test your particular use case with it and report the results, that would be extremely helpful!

Thank you again for reporting this issue and for writing up such a detailed and thoughtful PR!

[stanhu]

@chrisd8088 Awesome, thank you so much! The code looks good to me. I didn't understand why this platform-specific code was there, but now that you mentioned it I remember having to do similar workarounds with Windows a long time ago.

That being said, I'm having trouble reproducing my original problem because our IT department pushed out a workaround that manually adds the working certificate to the chain.

I've tried to add a non-trusted, self-signed CA with a matching CN into my macOS Keychain, but somehow LFS manages to use the SSL CA path fallback and validate everything properly. I'll have to keep investigating how to reproduce the issue.

Still, I downloaded the git-lfs binary in the CI artifact, and it seems to work fine for me.

[chrisd8088]

That being said, I'm having trouble reproducing my original problem because our IT department pushed out a workaround that manually adds the working certificate to the chain.

Ha! Well, I'm glad the problem is fixed for you, at least, one way or another. :-)

Thanks for trying to reproduce the problem, though, and for testing the binary!

[stanhu]

@chrisd8088 Ok, I validated this new binary works properly. It turns out I had symlinked git-lfs to my test version with #6037, so that's why I wasn't able to reproduce it. 😄

I simply had to install a self-signed root with my domain with the CN example.org Test. Just for good measure, I set the GIT_SSL_CAPATH and GIT_SSL_CAINFO to non-existent paths.

With git-lfs v3.6.1, I get the tls: failed to verify certificate: x509: certificate signed by unknown authority error, but with the git-lfs in the CI artifact, it works fine.

[chrisd8088]

With git-lfs v3.6.1, I get the tls: failed to verify certificate: x509: certificate signed by unknown authority error, but with the git-lfs in the CI artifact, it works fine.

Yay! Thank you very much, that's great to hear. It also saves me from testing it myself this way. I've done some "reverse" testing to confirm that Go's default certificate verification definitely gathers CA certificates from the System keychain, as one would expect, and is able to verify server certificates which depend on those CAs. But I hadn't yet set up an invalid CA certificate which would be incorrectly matched by Git LFS.

Thanks again so much for both the bug report and the proposed fix!