Can not activate license in Unity Hub on Fedora 41/RHEL9 until trust SHA-1

This is what I found that will cause license not able to being used from logfile:

2024-09-16 16:08:54.812 - [ 37974] - [    10] - ERROR - [Unity.Licensing.Client.Services.Helpers.LicenseFilesMapper] Exception caught while parsing license /home/cardidi/.config/unity3d/Unity/licenses/UnityEntitlementLicense.xml
Interop+Crypto+OpenSslCryptographicException: error:03000098:digital envelope routines::invalid digest
   at Interop.Crypto.RsaVerifyHash(SafeEvpPKeyHandle pkey, RSASignaturePaddingMode paddingMode, IntPtr digestAlgorithm, ReadOnlySpan`1 hash, ReadOnlySpan`1 signature)
   at System.Security.Cryptography.RSAOpenSsl.VerifyHash(ReadOnlySpan`1 hash, ReadOnlySpan`1 signature, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
   at System.Security.Cryptography.RSAOpenSsl.VerifyHash(Byte[] hash, Byte[] signature, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)
   at Unity.Licensing.EntitlementResolver.Xml.XmlExtensions.ValidateSignature(XmlDocument xmlDoc, X509Certificate2 trustedCertificate, Boolean allowDelegation, String refId)
   at Unity.Licensing.EntitlementResolver.Xml.XmlReader`1.Read(Stream stream, Boolean requireSignature, Boolean validateSchema)
   at Unity.Licensing.EntitlementResolver.License.UnityLicense.ReadAndParseLicense(Stream licenseStream, X509Certificate2 certificate)
   at Unity.Licensing.EntitlementResolver.License.UnityLicense..ctor(String licenseFilePath, X509Certificate2 certificate, Boolean allowDelegation)
   at Unity.Licensing.EntitlementResolver.License.UnityLicense.GetLicense(String licenseFilePath, X509Certificate2 lsdCert)
   at Unity.Licensing.Client.Services.Helpers.LicenseFilesMapper.MapLicenseFilesToResult(IEnumerable`1 files, Boolean ignoreUlfLicenseFiles)

After I search around, I found that OpenSSL will no longer trust cryptographic signatures using SHA-1 by default, starting from Fedora 41.

Search around and found this RedHat Documentation which tells me how can I make SHA-1 signatures being trusted. And command as follow:

sudo update-crypto-policies --set DEFAULT:SHA1

But I think Unity should consider upgrade its dependencies on libssl1 due to most dist will not ship this as default and also trying to use a safer algorithm to avoid issues like this.

1 Like

I think I am having a similar problem.
[Licensing::Client] Error: Code 400 while processing request (status: Cannot load ULF license: error:03000098:digital envelope routines::invalid digest)
Although I am using a rhel 9.4 container with Unity 2022.3.22.
I did have it working with Unity 2021, but now it won’t accept any license file.

RHEL untrust SHA-1 since RHEL9, so I think you can consider try update-crypto-policies --set DEFAULT:SHA1 to fix this issue or wait for offical fix.

I did try this from your initial post but it doesn’t seem to fix my problem. I might have some other issue on top of this now, but I had Unity 2021 working while using the SHA1 ULF before. It seems to only be Unity 2022 with this issue. Thanks for the help.

Could you please post your logfiles?

Pipeline output of docker build when it tries to install and activate unity:

...Download files from artifactory into /tmp...
[1/2] STEP 9/17: RUN mv /tmp/Unity-2022.3.22f1.tar.xz /tmp/Unity.tar.xz
--> 2e5eca07e572
[1/2] STEP 10/17: RUN chmod +x /tmp/UnitySetup-2022.3.22f1
--> 82b7802b92db
[1/2] STEP 11/17: RUN echo y | /tmp/UnitySetup-2022.3.22f1 --unattended --components=Unity,Windows-Mono --use-component-list=/tmp/unity-2022.3.22f1-linux.ini 		--download-location=/tmp --install-location=/opt/Unity-2022.3.22f1 --verbose > /opt/unityInstall.log || (cat /opt/unityInstall.log; false)
--> c812f7537e19
[1/2] STEP 12/17: RUN echo "2bb1901c922c4f16ac26a31cfc968f71" > /etc/machine-id
--> 88d92a9f8e3c
[1/2] STEP 13/17: RUN ln -s /opt/Unity-2022.3.22f1/Editor/Unity /usr/local/bin/Unity
--> 51dbdd31d865
[1/2] STEP 14/17: RUN Unity -batchmode -nographics -manualLicenseFile /tmp/Unity_v2022.x.ulf -logfile /dev/stdout || true
Unity Editor version:    2022.3.22f1 (887be4894c44)
Branch:                  2022.3/staging
Build type:              Release
Batch mode:              YES
System name:             Linux
Distro version:          #76-Ubuntu SMP Wed Jun 12 18:19:38 UTC 2024
Kernel version:          5.15.0-1067-azure
Architecture:            x86_64
Available memory:        32093 MB
[Licensing::Module] Trying to connect to existing licensing client channel...
[Licensing::IpcConnector] Connection attempt to the License Client on channel: "LicenseClient-root" failed because channel doesn't exist; code: "0x80000002"
[Licensing::Module] Successfully launched the LicensingClient (PId: 12)
[Licensing::IpcConnector] Successfully connected to the License Client on channel: "LicenseClient-root" at "2024-09-17T16:34:47.15024Z"
[SignatureVerifier] Application signature verification not supported on this platform.
[Licensing::Client] Handshaking with LicensingClient:
  Version:                 1.15.0+66d4389
  Session Id:              a87e522e829a4891b841375e4343b4d1
  Correlation Id:          632e4dceae87e75a5090f24b85133781
  External correlation Id: 1687651315572604117
  Machine Id:              puJyGco9QcjraxCuToy/Eimr1LY=
[Licensing::Module] Successfully connected to LicensingClient on channel: "LicenseClient-root" (connect: 0.60s, validation: 0.06s, handshake: 0.00s)
[Licensing::IpcConnector] Successfully connected to the License Notification on channel: "LicenseClient-root-notifications" at "2024-09-17T16:34:47.209079Z"
[Licensing::Module] Connected to LicensingClient (PId: 12, launch time: 0.00, total connection time: 0.66s)
[Licensing::Module] Error: Access token is unavailable; failed to update
[Licensing::Client] Error: Code 500 while processing request (status: Unable to update licenses. Errors: No ULF license found.,Token not found in cache)
[Licensing::Client] Error: Code 500 while updating license in client (status: Unable to update licenses. Errors: No ULF license found.,Token not found in cache)
[Licensing::Module] Loading manual activation license file /tmp/Unity_v2022.x.ulf.
[Licensing::Client] Error: Code 400 while processing request (status: Cannot load ULF license: error:03000098:digital envelope routines::invalid digest)
Checking for leaked weakptr:
  Found no leaked weakptrs.
Memory Statistics:
[ALLOC_TEMP_TLS] TLS Allocator
  StackAllocators : 
    [ALLOC_TEMP_CoreBusinessMetricsCache]
      Initial Block Size 64.0 KB
      Current Block Size 64.0 KB
      Peak Allocated Bytes 0 B
      Overflow Count 0
    [ALLOC_TEMP_Profiler.Dispatcher]
      Initial Block Size 64.0 KB
      Current Block Size 64.0 KB
      Peak Allocated Bytes 0 B
      Overflow Count 0
    [ALLOC_TEMP_AssetGarbageCollectorHelper] x 7
      Initial Block Size 64.0 KB
      Current Block Size 64.0 KB
      Peak Allocated Bytes 0 B
      Overflow Count 0
[ALLOC_MEMORYPROFILER]
  Requested Block Size 1.0 MB
  Peak Block count 1
  Peak Allocated memory 4.6 KB
  Peak Large allocation bytes 0 B
##utp:{"type":"MemoryLeaks","version":2,"phase":"Immediate","time":1726590887288,"processId":2,"allocatedMemory":85115,"memoryLabels":[{"Default":530},{"Thread":64},{"Manager":6610},{"Serialization":52},{"BaseObject":12376},{"String":7085},{"HashMap":12372},{"Utility":1024},{"GI":2944},{"CloudService":504},{"VR":80},{"EditorUtility":256},{"RestService":1022},{"License":3624},{"UnityConnect":25496},{"Collab":25},{"LocalIPC":212},{"ProfilerEditor":10839}]}
time="2024-09-17T16:35:33Z" level=warning msg="archive: skipping \"/var/lib/containers/storage/overlay/695c3a01a3ad532adf450e5203a1189d8ab287bc835ca5d5f89ccbab57fb9de8/merged/tmp/Unity-LicenseClient-root-notifications.sock\" since it is a socket"
time="2024-09-17T16:35:33Z" level=warning msg="archive: skipping \"/var/lib/containers/storage/overlay/695c3a01a3ad532adf450e5203a1189d8ab287bc835ca5d5f89ccbab57fb9de8/merged/tmp/Unity-LicenseClient-root.sock\" since it is a socket"
time="2024-09-17T16:35:33Z" level=warning msg="archive: skipping \"/var/lib/containers/storage/overlay/695c3a01a3ad532adf450e5203a1189d8ab287bc835ca5d5f89ccbab57fb9de8/merged/tmp/dotnet-diagnostic-12-476463015-socket\" since it is a socket"

Unity install Log (shortened)

UNITY TERMS OF SERVICE
...
Do you accept the terms of the License Agreement? (y/n)

Beginning unattended installation to '/opt/Unity-2022.3.22f1', downloading packages to '/tmp'
Selecting Unity
Selecting Windows-Mono
Required installation size: Total space required: 6.46 GB
Available space: Space available: 774.36 GB
Available space: Space available: 774.36 GB
Verifying Unity 2022.3.22f1
Using existing '/tmp/Unity.tar.xz'
Finished downloading '/LinuxEditorInstaller/Unity.tar.xz' to '/tmp/Unity.tar.xz'
Verifying Windows Build Support (Mono)
Using existing '/tmp/UnitySetup-Windows-Mono-Support-for-Editor-2022.3.22f1.pkg'
Finished downloading '/MacEditorTargetInstaller/UnitySetup-Windows-Mono-Support-for-Editor-2022.3.22f1.pkg' to '/tmp/UnitySetup-Windows-Mono-Support-for-Editor-2022.3.22f1.pkg'
Installing Unity 2022.3.22f1
Extracting /tmp/Unity.tar.xz
========================

Editor/

Editor/libcompress_bc7e.so
...

These logs are from a run without the update-crypto-policies --set DEFAULT:SHA1 line, but when I tried that I didn’t see any change in the output.

I still don’t know what seemed to cause the problem, but I have been able to sidestep it by using the docker images and instructions provided by gameci. https://game.ci/

So you are trying to run this on Docker with CI/CD? I used to build games on Docker and I did not met same situation like this. But as far as I know, host system’s configuration will not affect into docker, so is there anything else makes docker can not trust SHA1. Did you test another version of Unity in docker?

I am now using the GameCi provided docker images in Gitlab pipelines. The method that it uses to pass in the unity license differs slightly from what I had done previously. Where I was trying to store the ULF in the image, GameCI provides the ULF as a Gitlab ci/cd variable passed in during a pipeline run. Both of these attempts were using SHA1, however My attempts were using RHEL 9.4 and GameCI uses Ubuntu 22.04.4.

The previous method I used worked with Unity 2019 and 2021. But in Unity 2022 the legacy license handling module was deprecated, which I believe could explain the difference in behavior.

Umm, I was built my games on Ubuntu 22.04 with GameCI provided docker images with Unity 2021. I’m not sure if this issue are related. Maybe you can open an issue to Unity?