CA not installed for Firefox on MacOS Big Sur

[tnyeanderson]

Problem

Using command:

step certificate install --all $certpath

This works for the system trust store, but not for Firefox (or curl but I think that's a separate issue). There is no error message and exit code is 0.

When run with --firefox --no-system it still gives the Certificate xyz has been installed success message even though the cert is not actually added to the firefox trust store.

May try to dig into the code and investigate if I have time this week.

Versions

Smallstep CLI v0.22.0 (installed with brew install step)

Pretty fresh Big Sur 11.7.1 installation, already logged into Firefox before running the step command.

Firefox v106.0.5

[maraino]

In case you want to investigate, we look for firefox profiles in:

truststore/truststore_darwin.go

Line 19 in 68f087e

NSSProfile = os.Getenv("HOME") + "/Library/Application Support/Firefox/Profiles/*"

And then by default we use certutil, it can be installed with (brew install nss), to install the cert in all profiles:

truststore/truststore_nss.go

Lines 83 to 105 in 68f087e

	func (t *NSSTrust) Uninstall(filename string, cert *x509.Certificate) (err error) {
	forEachNSSProfile(func(profile string) {
	if err != nil {
	return
	}
	// skip if not found
	//nolint:gosec // tolerable risk necessary for function
	if err := exec.Command(t.certutilPath, "-V", "-d", profile, "-u", "L", "-n", uniqueName(cert)).Run(); err != nil {
	return
	}
	// delete certificate
	//nolint:gosec // tolerable risk necessary for function
	cmd := exec.Command(t.certutilPath, "-D", "-d", profile, "-n", uniqueName(cert))
	out, err1 := cmd.CombinedOutput()
	if err1 != nil {
	err = NewCmdError(err1, cmd, out)
	}
	})
	if err == nil {
	debug("certificate uninstalled properly from NSS security databases")
	}
	return
	}