[release/13.2] Updated to cache pfx dev certs on Windows and Linux to avoid binary level changes between runs (#15774)

aspire-repo-bot[bot] · danegsta · Copilot · web-flow · commit 25961cf7043e · 2026-04-06T11:49:06.000-07:00
* Updated to cache pfx dev certs on Windows and Linux to avoid binary changes in persistent container usage

* Fix garbled line

* Update src/Aspire.Hosting/DeveloperCertificateService.cs

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

---------

Co-authored-by: David Negstad &lt;David.Negstad@microsoft.com&gt;
Co-authored-by: David Negstad &lt;50252651+danegsta@users.noreply.github.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/src/Aspire.Hosting/DeveloperCertificateService.cs b/src/Aspire.Hosting/DeveloperCertificateService.cs
@@ -193,7 +193,7 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store
     }
 
     // Well-known location on disk where dev-cert key material is cached on macOS.
-    private static readonly string s_macOSUserDevCertificateLocation = Path.Combine(
+    private static readonly string s_userDevCertificateLocation = Path.Combine(
         Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".aspire", "dev-certs", "https");
 
     private static readonly SemaphoreSlim s_certificateCacheSemaphore = new(1, 1);
@@ -257,13 +257,12 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store
         CancellationToken cancellationToken)
     {
         char[]? pemKey = null;
-        var keyFileName = Path.Join(s_macOSUserDevCertificateLocation, $"{lookup}.key");
+        var keyFileName = Path.Join(s_userDevCertificateLocation, $"{lookup}.key");
 
+        // We only cache PEM certificates on MacOS to avoid repeated keychain prompts.
+        // There's no concern of binary differences for PEM certs with persistent containers.
         if (OperatingSystem.IsMacOS() && certificate.IsAspNetCoreDevelopmentCertificate())
         {
-            // On macOS, we cache development certificate key material to avoid triggering repeated
-            // keychain prompts when referencing the development certificate key. We don't do this
-            // for other OSes or other certificates.
             try
             {
                 if (File.Exists(keyFileName))
@@ -316,7 +315,7 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store
                 // On macOS, cache the development certificate key material
                 try
                 {
-                    Directory.CreateDirectory(s_macOSUserDevCertificateLocation, UnixFileMode.UserExecute | UnixFileMode.UserWrite | UnixFileMode.UserRead);
+                    Directory.CreateDirectory(s_userDevCertificateLocation, UnixFileMode.UserExecute | UnixFileMode.UserWrite | UnixFileMode.UserRead);
 
                     await File.WriteAllTextAsync(keyFileName, new string(pemKey), cancellationToken).ConfigureAwait(false);
                 }
@@ -336,12 +335,12 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store
         string lookup)
     {
         byte[]? pfxBytes = null;
-        var pfxFileName = Path.Join(s_macOSUserDevCertificateLocation, $"{lookup}.pfx");
+        var pfxFileName = Path.Join(s_userDevCertificateLocation, $"{lookup}.pfx");
 
-        if (OperatingSystem.IsMacOS() && certificate.IsAspNetCoreDevelopmentCertificate())
+        // We cache PFX dev certs for all OSes to ensure consistent binary output for persistent containers
+        // in addition to avoiding repeated keychain prompts on MacOS.
+        if (certificate.IsAspNetCoreDevelopmentCertificate())
         {
-            // On macOS, we cache development certificate key material to avoid triggering repeated
-            // keychain prompts when referencing the development certificate key.
             try
             {
                 if (File.Exists(pfxFileName))
@@ -367,11 +366,18 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store
         {
             pfxBytes = certificate.Export(X509ContentType.Pfx, password);
 
-            if (pfxBytes is not null && OperatingSystem.IsMacOS() && certificate.IsAspNetCoreDevelopmentCertificate())
+            if (pfxBytes is not null && certificate.IsAspNetCoreDevelopmentCertificate())
             {
                 try
                 {
-                    Directory.CreateDirectory(s_macOSUserDevCertificateLocation, UnixFileMode.UserExecute | UnixFileMode.UserWrite | UnixFileMode.UserRead);
+                    if (OperatingSystem.IsWindows())
+                    {
+                        Directory.CreateDirectory(s_userDevCertificateLocation);
+                    }
+                    else
+                    {
+                        Directory.CreateDirectory(s_userDevCertificateLocation, UnixFileMode.UserExecute | UnixFileMode.UserWrite | UnixFileMode.UserRead);
+                    }
 
                     File.WriteAllBytes(pfxFileName, pfxBytes);
                 }

Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,7 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store`
`193`	`193`	`}`
`194`	`194`
`195`	`195`	`// Well-known location on disk where dev-cert key material is cached on macOS.`
`196`		`- private static readonly string s_macOSUserDevCertificateLocation = Path.Combine(`
	`196`	`+ private static readonly string s_userDevCertificateLocation = Path.Combine(`
`197`	`197`	`Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".aspire", "dev-certs", "https");`
`198`	`198`
`199`	`199`	`private static readonly SemaphoreSlim s_certificateCacheSemaphore = new(1, 1);`
`@@ -257,13 +257,12 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store`
`257`	`257`	`CancellationToken cancellationToken)`
`258`	`258`	`{`
`259`	`259`	`char[]? pemKey = null;`
`260`		`- var keyFileName = Path.Join(s_macOSUserDevCertificateLocation, $"{lookup}.key");`
	`260`	`+ var keyFileName = Path.Join(s_userDevCertificateLocation, $"{lookup}.key");`
`261`	`261`
	`262`	`+ // We only cache PEM certificates on MacOS to avoid repeated keychain prompts.`
	`263`	`+ // There's no concern of binary differences for PEM certs with persistent containers.`
`262`	`264`	`if (OperatingSystem.IsMacOS() && certificate.IsAspNetCoreDevelopmentCertificate())`
`263`	`265`	`{`
`264`		`- // On macOS, we cache development certificate key material to avoid triggering repeated`
`265`		`- // keychain prompts when referencing the development certificate key. We don't do this`
`266`		`- // for other OSes or other certificates.`
`267`	`266`	`try`
`268`	`267`	`{`
`269`	`268`	`if (File.Exists(keyFileName))`
`@@ -316,7 +315,7 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store`
`316`	`315`	`// On macOS, cache the development certificate key material`
`317`	`316`	`try`
`318`	`317`	`{`
`319`		`- Directory.CreateDirectory(s_macOSUserDevCertificateLocation, UnixFileMode.UserExecute \| UnixFileMode.UserWrite \| UnixFileMode.UserRead);`
	`318`	`+ Directory.CreateDirectory(s_userDevCertificateLocation, UnixFileMode.UserExecute \| UnixFileMode.UserWrite \| UnixFileMode.UserRead);`
`320`	`319`
`321`	`320`	`await File.WriteAllTextAsync(keyFileName, new string(pemKey), cancellationToken).ConfigureAwait(false);`
`322`	`321`	`}`
`@@ -336,12 +335,12 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store`
`336`	`335`	`string lookup)`
`337`	`336`	`{`
`338`	`337`	`byte[]? pfxBytes = null;`
`339`		`- var pfxFileName = Path.Join(s_macOSUserDevCertificateLocation, $"{lookup}.pfx");`
	`338`	`+ var pfxFileName = Path.Join(s_userDevCertificateLocation, $"{lookup}.pfx");`
`340`	`339`
`341`		`- if (OperatingSystem.IsMacOS() && certificate.IsAspNetCoreDevelopmentCertificate())`
	`340`	`+ // We cache PFX dev certs for all OSes to ensure consistent binary output for persistent containers`
	`341`	`+ // in addition to avoiding repeated keychain prompts on MacOS.`
	`342`	`+ if (certificate.IsAspNetCoreDevelopmentCertificate())`
`342`	`343`	`{`
`343`		`- // On macOS, we cache development certificate key material to avoid triggering repeated`
`344`		`- // keychain prompts when referencing the development certificate key.`
`345`	`344`	`try`
`346`	`345`	`{`
`347`	`346`	`if (File.Exists(pfxFileName))`
`@@ -367,11 +366,18 @@ private static IEnumerable<X509Certificate2> FindDevCertificates(X509Store store`
`367`	`366`	`{`
`368`	`367`	`pfxBytes = certificate.Export(X509ContentType.Pfx, password);`
`369`	`368`
`370`		`- if (pfxBytes is not null && OperatingSystem.IsMacOS() && certificate.IsAspNetCoreDevelopmentCertificate())`
	`369`	`+ if (pfxBytes is not null && certificate.IsAspNetCoreDevelopmentCertificate())`
`371`	`370`	`{`
`372`	`371`	`try`
`373`	`372`	`{`
`374`		`- Directory.CreateDirectory(s_macOSUserDevCertificateLocation, UnixFileMode.UserExecute \| UnixFileMode.UserWrite \| UnixFileMode.UserRead);`
	`373`	`+ if (OperatingSystem.IsWindows())`
	`374`	`+ {`
	`375`	`+ Directory.CreateDirectory(s_userDevCertificateLocation);`
	`376`	`+ }`
	`377`	`+ else`
	`378`	`+ {`
	`379`	`+ Directory.CreateDirectory(s_userDevCertificateLocation, UnixFileMode.UserExecute \| UnixFileMode.UserWrite \| UnixFileMode.UserRead);`
	`380`	`+ }`
`375`	`381`
`376`	`382`	`File.WriteAllBytes(pfxFileName, pfxBytes);`
`377`	`383`	`}`