Hi,

 

Please allow me to add some more details. Also posting to the TF-A list, as all tf.org repositories are affected.


The root cause of this issue is OpenSSH dropping support for SHA-1 RSA signatures with the 8.8 release, and thus any OS (or git client) coming with a recent version is affected. I.e. the newest git for windows is affected too, and so are “top notch” Linux distributions like Arch.

 

For details see the “Potentially-incompatible changes” chapter here: https://www.openssh.com/releasenotes.html

 

As the above page states “Incompatibility is more likely when connecting to older SSH implementations…”, and thus a server-side update would eliminate the problem. Till that happens the page above list multiple client-side workarounds. (It is possible to amend the ssh config in a way that fixes all repositories.)

 

/George

 

 

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Kevin Townsend via TF-M
Sent: December 15, 2021 13:06
To: Thomas Törnblom via TF-M <tf-m@lists.trustedfirmware.org>
Subject: [TF-M] Tip on cloning TF-M on OS X Monterey

 

I recently switched to a new MBP that ships with OS X Monterey, and on both 12.0 and 12.1 (released this week) git clone seems to be broken when you're using HTTP rather than SSH:

 

digital envelope routines:CRYPTO_internal:bad key length

 

In order to clone TF-M, I had to make the following changes.

 

1. Add these details to $HOME/.ssh/config (microbuilder being my github username, associated with my TF-M account):

 

Host trustedfirmware.org
  User microbuilder
  Hostname review.trustedfirmware.org
  Port 29418
  IdentityFile ~/.ssh/id_rsa
  IdentitiesOnly yes

 

2. Then try to clone with:

$ git clone trustedfirmware.org:/TF-M/trusted-firmware-m.git

 

This fails, however, since it tries to clone tf-m-tests.git, so:

 

3. Edit lib/ext/tf-m-tests/fetch_repo.cmake, changing:

 

    FetchContent_Declare(tfm_test_repo
        GIT_REPOSITORY trustedfirmware.org:TF-M/tf-m-tests.git
        # GIT_REPOSITORY https://git.trustedfirmware.org/TF-M/tf-m-tests.git
        GIT_TAG ${TFM_TEST_REPO_VERSION}
        GIT_PROGRESS TRUE
    )

 

This let me at least clone TF-M until the issues with HTTP-based cloning are fixed.

 

Hope this is useful to someone else working on OS X natively.

 

Kevin