Hi,
Please allow me to add some more details. Also posting to the TF-A list, as all tf.org repositories are affected.
The root cause of this issue is OpenSSH dropping support for SHA-1 RSA signatures with the 8.8 release, and thus any OS (or git client) coming with a recent version is affected. I.e. the newest git for windows is affected too, and so are “top notch” Linux distributions like Arch.
For details see the “Potentially-incompatible changes” chapter here: https://www.openssh.com/releasenotes.html
As the above page states “Incompatibility is more likely when connecting to older SSH implementations…”, and thus a server-side update would eliminate the problem. Till that happens the page above list multiple client-side workarounds. (It is possible to amend the ssh config in a way that fixes all repositories.)
/George
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Kevin Townsend via TF-M Sent: December 15, 2021 13:06 To: Thomas Törnblom via TF-M tf-m@lists.trustedfirmware.org Subject: [TF-M] Tip on cloning TF-M on OS X Monterey
I recently switched to a new MBP that ships with OS X Monterey, and on both 12.0 and 12.1 (released this week) git clone seems to be broken when you're using HTTP rather than SSH:
digital envelope routines:CRYPTO_internal:bad key length
In order to clone TF-M, I had to make the following changes.
1. Add these details to $HOME/.ssh/config (microbuilder being my github username, associated with my TF-M account):
Host trustedfirmware.orghttp://trustedfirmware.org User microbuilder Hostname review.trustedfirmware.orghttp://review.trustedfirmware.org Port 29418 IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes
2. Then try to clone with: $ git clone trustedfirmware.org:/TF-M/trusted-firmware-m.git
This fails, however, since it tries to clone tf-m-tests.git, so:
3. Edit lib/ext/tf-m-tests/fetch_repo.cmake, changing:
FetchContent_Declare(tfm_test_repo GIT_REPOSITORY trustedfirmware.org:TF-M/tf-m-tests.git # GIT_REPOSITORY https://git.trustedfirmware.org/TF-M/tf-m-tests.git GIT_TAG ${TFM_TEST_REPO_VERSION} GIT_PROGRESS TRUE )
This let me at least clone TF-M until the issues with HTTP-based cloning are fixed.
Hope this is useful to someone else working on OS X natively.
Kevin
tf-a@lists.trustedfirmware.org