Can not activate license in Unity Hub on Fedora 41/RHEL9 until trust SHA-1

This is what I found that will cause license not able to being used from logfile:

2024-09-16 16:08:54.812 - [ 37974] - [    10] - ERROR - [Unity.Licensing.Client.Services.Helpers.LicenseFilesMapper] Exception caught while parsing license /home/cardidi/.config/unity3d/Unity/licenses/UnityEntitlementLicense.xml
Interop+Crypto+OpenSslCryptographicException: error:03000098:digital envelope routines::invalid digest
   at Interop.Crypto.RsaVerifyHash(SafeEvpPKeyHandle pkey, RSASignaturePaddingMode paddingMode, IntPtr digestAlgorithm, ReadOnlySpan`1 hash, ReadOnlySpan`1 signature)
   at System.Security.Cryptography.RSAOpenSsl.VerifyHash(ReadOnlySpan`1 hash, ReadOnlySpan`1 signature, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
   at System.Security.Cryptography.RSAOpenSsl.VerifyHash(Byte[] hash, Byte[] signature, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)
   at Unity.Licensing.EntitlementResolver.Xml.XmlExtensions.ValidateSignature(XmlDocument xmlDoc, X509Certificate2 trustedCertificate, Boolean allowDelegation, String refId)
   at Unity.Licensing.EntitlementResolver.Xml.XmlReader`1.Read(Stream stream, Boolean requireSignature, Boolean validateSchema)
   at Unity.Licensing.EntitlementResolver.License.UnityLicense.ReadAndParseLicense(Stream licenseStream, X509Certificate2 certificate)
   at Unity.Licensing.EntitlementResolver.License.UnityLicense..ctor(String licenseFilePath, X509Certificate2 certificate, Boolean allowDelegation)
   at Unity.Licensing.EntitlementResolver.License.UnityLicense.GetLicense(String licenseFilePath, X509Certificate2 lsdCert)
   at Unity.Licensing.Client.Services.Helpers.LicenseFilesMapper.MapLicenseFilesToResult(IEnumerable`1 files, Boolean ignoreUlfLicenseFiles)

After I search around, I found that OpenSSL will no longer trust cryptographic signatures using SHA-1 by default, starting from Fedora 41.

Search around and found this RedHat Documentation which tells me how can I make SHA-1 signatures being trusted. And command as follow:

sudo update-crypto-policies --set DEFAULT:SHA1

But I think Unity should consider upgrade its dependencies on libssl1 due to most dist will not ship this as default and also trying to use a safer algorithm to avoid issues like this.

I think I am having a similar problem.
[Licensing::Client] Error: Code 400 while processing request (status: Cannot load ULF license: error:03000098:digital envelope routines::invalid digest)
Although I am using a rhel 9.4 container with Unity 2022.3.22.
I did have it working with Unity 2021, but now it won’t accept any license file.

RHEL untrust SHA-1 since RHEL9, so I think you can consider try update-crypto-policies --set DEFAULT:SHA1 to fix this issue or wait for offical fix.

I did try this from your initial post but it doesn’t seem to fix my problem. I might have some other issue on top of this now, but I had Unity 2021 working while using the SHA1 ULF before. It seems to only be Unity 2022 with this issue. Thanks for the help.

Could you please post your logfiles?

Pipeline output of docker build when it tries to install and activate unity:

...Download files from artifactory into /tmp...
[1/2] STEP 9/17: RUN mv /tmp/Unity-2022.3.22f1.tar.xz /tmp/Unity.tar.xz
--> 2e5eca07e572
[1/2] STEP 10/17: RUN chmod +x /tmp/UnitySetup-2022.3.22f1
--> 82b7802b92db
[1/2] STEP 11/17: RUN echo y | /tmp/UnitySetup-2022.3.22f1 --unattended --components=Unity,Windows-Mono --use-component-list=/tmp/unity-2022.3.22f1-linux.ini 		--download-location=/tmp --install-location=/opt/Unity-2022.3.22f1 --verbose > /opt/unityInstall.log || (cat /opt/unityInstall.log; false)
--> c812f7537e19
[1/2] STEP 12/17: RUN echo "2bb1901c922c4f16ac26a31cfc968f71" > /etc/machine-id
--> 88d92a9f8e3c
[1/2] STEP 13/17: RUN ln -s /opt/Unity-2022.3.22f1/Editor/Unity /usr/local/bin/Unity
--> 51dbdd31d865
[1/2] STEP 14/17: RUN Unity -batchmode -nographics -manualLicenseFile /tmp/Unity_v2022.x.ulf -logfile /dev/stdout || true
Unity Editor version:    2022.3.22f1 (887be4894c44)
Branch:                  2022.3/staging
Build type:              Release
Batch mode:              YES
System name:             Linux
Distro version:          #76-Ubuntu SMP Wed Jun 12 18:19:38 UTC 2024
Kernel version:          5.15.0-1067-azure
Architecture:            x86_64
Available memory:        32093 MB
[Licensing::Module] Trying to connect to existing licensing client channel...
[Licensing::IpcConnector] Connection attempt to the License Client on channel: "LicenseClient-root" failed because channel doesn't exist; code: "0x80000002"
[Licensing::Module] Successfully launched the LicensingClient (PId: 12)
[Licensing::IpcConnector] Successfully connected to the License Client on channel: "LicenseClient-root" at "2024-09-17T16:34:47.15024Z"
[SignatureVerifier] Application signature verification not supported on this platform.
[Licensing::Client] Handshaking with LicensingClient:
  Version:                 1.15.0+66d4389
  Session Id:              a87e522e829a4891b841375e4343b4d1
  Correlation Id:          632e4dceae87e75a5090f24b85133781
  External correlation Id: 1687651315572604117
  Machine Id:              puJyGco9QcjraxCuToy/Eimr1LY=
[Licensing::Module] Successfully connected to LicensingClient on channel: "LicenseClient-root" (connect: 0.60s, validation: 0.06s, handshake: 0.00s)
[Licensing::IpcConnector] Successfully connected to the License Notification on channel: "LicenseClient-root-notifications" at "2024-09-17T16:34:47.209079Z"
[Licensing::Module] Connected to LicensingClient (PId: 12, launch time: 0.00, total connection time: 0.66s)
[Licensing::Module] Error: Access token is unavailable; failed to update
[Licensing::Client] Error: Code 500 while processing request (status: Unable to update licenses. Errors: No ULF license found.,Token not found in cache)
[Licensing::Client] Error: Code 500 while updating license in client (status: Unable to update licenses. Errors: No ULF license found.,Token not found in cache)
[Licensing::Module] Loading manual activation license file /tmp/Unity_v2022.x.ulf.
[Licensing::Client] Error: Code 400 while processing request (status: Cannot load ULF license: error:03000098:digital envelope routines::invalid digest)
Checking for leaked weakptr:
  Found no leaked weakptrs.
Memory Statistics:
[ALLOC_TEMP_TLS] TLS Allocator
  StackAllocators : 
    [ALLOC_TEMP_CoreBusinessMetricsCache]
      Initial Block Size 64.0 KB
      Current Block Size 64.0 KB
      Peak Allocated Bytes 0 B
      Overflow Count 0
    [ALLOC_TEMP_Profiler.Dispatcher]
      Initial Block Size 64.0 KB
      Current Block Size 64.0 KB
      Peak Allocated Bytes 0 B
      Overflow Count 0
    [ALLOC_TEMP_AssetGarbageCollectorHelper] x 7
      Initial Block Size 64.0 KB
      Current Block Size 64.0 KB
      Peak Allocated Bytes 0 B
      Overflow Count 0
[ALLOC_MEMORYPROFILER]
  Requested Block Size 1.0 MB
  Peak Block count 1
  Peak Allocated memory 4.6 KB
  Peak Large allocation bytes 0 B
##utp:{"type":"MemoryLeaks","version":2,"phase":"Immediate","time":1726590887288,"processId":2,"allocatedMemory":85115,"memoryLabels":[{"Default":530},{"Thread":64},{"Manager":6610},{"Serialization":52},{"BaseObject":12376},{"String":7085},{"HashMap":12372},{"Utility":1024},{"GI":2944},{"CloudService":504},{"VR":80},{"EditorUtility":256},{"RestService":1022},{"License":3624},{"UnityConnect":25496},{"Collab":25},{"LocalIPC":212},{"ProfilerEditor":10839}]}
time="2024-09-17T16:35:33Z" level=warning msg="archive: skipping \"/var/lib/containers/storage/overlay/695c3a01a3ad532adf450e5203a1189d8ab287bc835ca5d5f89ccbab57fb9de8/merged/tmp/Unity-LicenseClient-root-notifications.sock\" since it is a socket"
time="2024-09-17T16:35:33Z" level=warning msg="archive: skipping \"/var/lib/containers/storage/overlay/695c3a01a3ad532adf450e5203a1189d8ab287bc835ca5d5f89ccbab57fb9de8/merged/tmp/Unity-LicenseClient-root.sock\" since it is a socket"
time="2024-09-17T16:35:33Z" level=warning msg="archive: skipping \"/var/lib/containers/storage/overlay/695c3a01a3ad532adf450e5203a1189d8ab287bc835ca5d5f89ccbab57fb9de8/merged/tmp/dotnet-diagnostic-12-476463015-socket\" since it is a socket"

Unity install Log (shortened)

UNITY TERMS OF SERVICE
...
Do you accept the terms of the License Agreement? (y/n)

Beginning unattended installation to '/opt/Unity-2022.3.22f1', downloading packages to '/tmp'
Selecting Unity
Selecting Windows-Mono
Required installation size: Total space required: 6.46 GB
Available space: Space available: 774.36 GB
Available space: Space available: 774.36 GB
Verifying Unity 2022.3.22f1
Using existing '/tmp/Unity.tar.xz'
Finished downloading '/LinuxEditorInstaller/Unity.tar.xz' to '/tmp/Unity.tar.xz'
Verifying Windows Build Support (Mono)
Using existing '/tmp/UnitySetup-Windows-Mono-Support-for-Editor-2022.3.22f1.pkg'
Finished downloading '/MacEditorTargetInstaller/UnitySetup-Windows-Mono-Support-for-Editor-2022.3.22f1.pkg' to '/tmp/UnitySetup-Windows-Mono-Support-for-Editor-2022.3.22f1.pkg'
Installing Unity 2022.3.22f1
Extracting /tmp/Unity.tar.xz
========================

Editor/

Editor/libcompress_bc7e.so
...

These logs are from a run without the update-crypto-policies --set DEFAULT:SHA1 line, but when I tried that I didn’t see any change in the output.

I still don’t know what seemed to cause the problem, but I have been able to sidestep it by using the docker images and instructions provided by gameci. https://game.ci/

So you are trying to run this on Docker with CI/CD? I used to build games on Docker and I did not met same situation like this. But as far as I know, host system’s configuration will not affect into docker, so is there anything else makes docker can not trust SHA1. Did you test another version of Unity in docker?

I am now using the GameCi provided docker images in Gitlab pipelines. The method that it uses to pass in the unity license differs slightly from what I had done previously. Where I was trying to store the ULF in the image, GameCI provides the ULF as a Gitlab ci/cd variable passed in during a pipeline run. Both of these attempts were using SHA1, however My attempts were using RHEL 9.4 and GameCI uses Ubuntu 22.04.4.

The previous method I used worked with Unity 2019 and 2021. But in Unity 2022 the legacy license handling module was deprecated, which I believe could explain the difference in behavior.

Umm, I was built my games on Ubuntu 22.04 with GameCI provided docker images with Unity 2021. I’m not sure if this issue are related. Maybe you can open an issue to Unity?

Yesterday Fedora 41 was officially released, and after successfully upgrading from version 40, UnityHub refused to activate the personal license. So I’ve tried solution from the original post and it helps me, thank you - “update-crypto-policies --set DEFAULT:SHA1”
+1 for the crypto library update request…

So, Unity hub’s the one need to do fix right? Have someone reported this/do they(Unity Hub dev) already know this problem?

Yesterday Fedora 41 was officially released, and after successfully upgrading from version 40, UnityHub refused to activate the personal license. So I’ve tried solution from the original post and it helps me, thank you - “update-crypto-policies --set DEFAULT:SHA1”
+1 for the crypto library update request…

It does work, but remember to return it back to update-crypto-policies --set DEFAULT after unity opened (--set DEFAULT:SHA1 > open hub, don’t close > set back to to --set DEFAULT) if you can, knowing the risk. This is to reduce SHA1 vulnerability.

I installed Unity inside a distrobox, how can I enable this: sudo update-crypto-policies --set DEFAULT:SHA1

Because shows this: sudo: update-crypto-policies: command not found

Try to install crypto-policies* packages

Thank you soo much.

This only applies if you installed fedora inside a Distrobox:

sudo dnf install crypto-policies-scripts
sudo update-crypto-policies --set DEFAULT:SHA1

I tried going through support on my Unity Pro sub, and I was told that Fedora isn’t officially supported, which honestly is fine. I’m happy to even get the “no support but here are some packages to get it working” version.

I was told the only officially supported distro is Ubuntu at the moment.

For now, the DEFAULT:SHA1 command that was listed in the original post got me going and maybe I’ll make the migration towards a Ubuntu based distro in the future.

Setting the crypto-policies works, but it is not nice, because it allows SHA1 (which is insecure encryption) to be used everywhere in Fedora. Please fix this Unity!

Don’t like this insecure workaround? Here’s how you can only enable SHA1 for unityhub and nothing else.

The first time, allow SHA1 (as others have said):

sudo update-crypto-policies --set DEFAULT:SHA1

Now copy your policy file (that is now updated to allow SHA1, which is insecure):

cp /etc/crypto-policies/back-ends/opensslcnf.config ~/my-insecure-unity-opensslcnf.config

Revert back to the safe default setting:

sudo update-crypto-policies --set DEFAULT

You can now run unityhub with SHA1 enabled like this:

OPENSSL_CONF=~/my-insecure-unity-opensslcnf.config unityhub

You can define an alias for that in your e.g. your bashrc.

If you don’t even want run update-crypto-policies to allow SHA1 once, you can also copy the opensslcnf.config and change rh-allow-sha1-signatures = no to rh-allow-sha1-signatures = yes, and add :ECDSA+SHA1:RSA+SHA1 to the end of the line with SignatureAlgorithms.

The OPENSSL_CONF works for me, but I notice it only works when I have freshly rebooted my system. Once Unity has been opened once, I get the following - ERROR: Ampli is not yet initialized. Have you called ampli.load() on app start?

The Ampli error happens if UnityHub is opened up more than once at the same time. But there can only be one. Make sure to first close UnityHub before opening a fresh one with OPENSSL_CONF.