Pre-export dev certificate to Aspire cache to avoid macOS keychain prompts (#16282)

* Pre-export dev certificate to Aspire cache to avoid keychain prompts

When the Aspire CLI generates, corrects, or trusts a developer certificate on
macOS, also write the PFX and PEM key material to the Aspire hosting dev-cert
cache (~/.aspire/dev-certs/https/). This lets app-host processes load key
material from disk instead of triggering macOS Keychain access prompts.

Changes:
- MacOSCertificateManager: SaveCertificateCore, CorrectCertificateState, and
  TrustCertificateCore now write both the .aspnet and .aspire caches using
  ExportCertificate consistently.
- DeveloperCertificateService: Restructured GetKeyMaterialAsync to try cache
  reads first, then do a single private key access for any misses (reduces
  two keychain prompts to one on cache miss).
- CertificateService: Added TrustCertificateAsync with PreExportKeyMaterialAsync
  fallback for certs created before the cache writes existed.
- CertificatesTrustCommand: Refactored to use ICertificateService.TrustCertificateAsync.
- Added tests for trust flow and pre-export behavior.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Update to use pkcs12 file in both places, removed unused cert export method

* Fix macOS dev cert cache prewarming

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Remove Hosting dependency from CLI cert test

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Unify certificate trust path in CLI

Collapse EnsureCertificatesTrustedAsync and TrustCertificateAsync into a
single path used by the apphost, init/template, and 'aspire certs trust'
callers. The service always runs the trust operation so the Aspire cache
stays populated even when the certificate is already trusted, and it emits
the same TrustCancelled / CertificatesMayNotBeFullyTrusted warnings
consistently across all callers. SSL_CERT_DIR handling on Linux partial
trust is unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Warm Aspire cert cache even when .aspnet PFX missing

WriteAspireCacheFromDiskPfx previously no-op'd when the .aspnet PFX did
not already exist on disk, which meant the Aspire cache would not be
warmed if the .aspnet cache hadn't already been written during trust.
Export the .aspnet PFX on demand in that case so both caches are always
populated together.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Cleanup files that were changed for no reason

* Cleanup an additional file

* Cleanup two more files with unnecessary edits

* Skip interactive cert trust in non-interactive mode

In non-interactive environments on macOS and Windows we can't successfully
prompt for certificate trust (Keychain password / trust dialog) and we
don't want to silently generate an untrusted certificate. Inject
ICliHostEnvironment into CertificateService and, when
SupportsInteractiveInput is false on non-Linux, skip TrustHttpCertificate
but still run CheckHttpCertificate so we can warn with distinct messages
for partially trusted and not trusted states. Linux trust is
non-interactive so the full flow is still run there.

Fixes AspireCliTsStarterSmoke hanging on 'Trusting certificates...' in
Windows CI.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Support ECDSA private keys in DeveloperCertificateService.ExportFromPrivateKey

ExportFromPrivateKey silently returned null for non-RSA certificates,
meaning a user-supplied ECDSA certificate would skip cache warming
without any diagnostic. Fall back to GetECDsaPrivateKey when the cert
has no RSA key and throw InvalidOperationException when neither is
available. ExportKeyPem now operates against AsymmetricAlgorithm and
picks the right temporary key type when re-exporting unencrypted PKCS#8.

Added tests covering the ECDSA path (password and no-password variants),
the public-only-certificate failure case, and an RSA sanity check.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: danegsta

src/Aspire.Cli/Certificates/CertificateGeneration/MacOSCertificateManager.cs

@@ -6,6 +6,7 @@
 using System.Globalization;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
+using System.Text;
 using System.Text.RegularExpressions;
 using Microsoft.Extensions.Logging;
 
@@ -32,6 +33,10 @@ internal sealed class MacOSCertificateManager : CertificateManager
     // Well-known location on disk where dev-certs are stored.
     private static readonly string s_macOSUserHttpsCertificateLocation = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".aspnet", "dev-certs", "https");
 
+    // Well-known location where Aspire.Hosting caches dev-cert key material to avoid
+    // triggering macOS Keychain access prompts at app-host startup time.
+    private static readonly string s_aspireDevCertsCacheDirectory = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".aspire", "dev-certs", "https");
+
     // Verify the certificate {0} for the SSL and X.509 Basic Policy.
     private const string MacOSVerifyCertificateCommandLine = "security";
     private const string MacOSVerifyCertificateCommandLineArgumentsFormat = "verify-cert -c \"{0}\" -p basic -p ssl";
@@ -84,6 +89,10 @@ internal MacOSCertificateManager(string subject, int version)
 
     protected override TrustLevel TrustCertificateCore(X509Certificate2 publicCertificate)
     {
+        // Populate the Aspire cache even when the certificate is already trusted so
+        // `aspire certs trust` can prewarm the cache without reapplying trust.
+        WriteAspireCacheFromDiskPfx(GetCertificateFilePath(publicCertificate), publicCertificate);
+
         var oldTrustLevel = GetTrustLevel(publicCertificate);
         if (oldTrustLevel != TrustLevel.None)
         {
@@ -97,6 +106,7 @@ protected override TrustLevel TrustCertificateCore(X509Certificate2 publicCertif
         {
             // We can't guarantee that the temp file is in a directory with sensible permissions, but we're not exporting the private key
             ExportCertificate(publicCertificate, tmpFile, includePrivateKey: false, password: null, CertificateKeyExportFormat.Pfx);
+
             if (Log.IsEnabled())
             {
                 Log.MacOSTrustCommandStart($"{MacOSTrustCertificateCommandLine} {s_macOSTrustCertificateCommandLineArguments}{tmpFile}");
@@ -111,7 +121,6 @@ protected override TrustLevel TrustCertificateCore(X509Certificate2 publicCertif
                 }
             }
             Log.MacOSTrustCommandEnd();
-            return TrustLevel.Full;
         }
         finally
         {
@@ -124,6 +133,8 @@ protected override TrustLevel TrustCertificateCore(X509Certificate2 publicCertif
                 // We don't care if we can't delete the temp file.
             }
         }
+
+        return TrustLevel.Full;
     }
 
     internal override CheckCertificateStateResult CheckCertificateState(X509Certificate2 candidate)
@@ -137,9 +148,15 @@ internal override void CorrectCertificateState(X509Certificate2 candidate)
     {
         try
         {
-            // This path is in a well-known folder, so we trust the permissions.
-            var certificatePath = GetCertificateFilePath(candidate);
-            ExportCertificate(candidate, certificatePath, includePrivateKey: true, null, CertificateKeyExportFormat.Pfx);
+            var onDiskPfxPath = GetCertificateFilePath(candidate);
+
+            // The .aspnet PFX write needs to use the keychain-backed cert since
+            // it's the authoritative source being corrected.
+            ExportCertificate(candidate, onDiskPfxPath, includePrivateKey: true, null, CertificateKeyExportFormat.Pfx);
+
+            // For the Aspire cache, load from the on-disk PFX we just wrote to avoid
+            // a second keychain access prompt.
+            WriteAspireCacheFromDiskPfx(onDiskPfxPath, candidate);
         }
         catch (Exception ex)
         {
@@ -310,17 +327,15 @@ protected override X509Certificate2 SaveCertificateCore(X509Certificate2 certifi
 
         try
         {
-            var certBytes = certificate.Export(X509ContentType.Pfx);
-
             if (Log.IsEnabled())
             {
                 Log.MacOSAddCertificateToUserProfileDirStart(s_macOSUserKeychain, GetDescription(certificate));
             }
 
-            // Ensure that the directory exists before writing to the file.
-            CreateDirectoryWithPermissions(s_macOSUserHttpsCertificateLocation);
+            ExportCertificate(certificate, GetCertificateFilePath(certificate), includePrivateKey: true, null, CertificateKeyExportFormat.Pfx);
 
-            File.WriteAllBytes(GetCertificateFilePath(certificate), certBytes);
+            var aspireLookup = GetAspireCertificateHash(certificate);
+            ExportCertificate(certificate, Path.Combine(s_aspireDevCertsCacheDirectory, $"{aspireLookup}.pfx"), includePrivateKey: true, null, CertificateKeyExportFormat.Pfx);
         }
         catch (Exception ex)
         {
@@ -373,6 +388,60 @@ private void SaveCertificateToUserKeychain(X509Certificate2 certificate)
     private static string GetCertificateFilePath(X509Certificate2 certificate) =>
         Path.Combine(s_macOSUserHttpsCertificateLocation, $"aspnetcore-localhost-{certificate.Thumbprint}.pfx");
 
+    /// <summary>
+    /// Writes Aspire hosting cache entries (PFX and PEM key) by loading the certificate from the
+    /// on-disk PFX at <paramref name="onDiskPfxPath"/> to avoid triggering a macOS Keychain
+    /// access prompt. If the on-disk PFX does not yet exist (for example, when correcting the
+    /// state of a pre-.NET 7 keychain-only certificate), it is exported first so the Aspire
+    /// cache can always be warmed alongside it. This is a best-effort operation; failures are
+    /// silently ignored so the app host can fall back to caching at startup.
+    /// </summary>
+    private void WriteAspireCacheFromDiskPfx(string onDiskPfxPath, X509Certificate2 certificate)
+    {
+        try
+        {
+            if (!File.Exists(onDiskPfxPath))
+            {
+                // The .aspnet PFX is the preferred source because loading from it avoids a
+                // second keychain prompt. If it's missing, export it first (this is a
+                // private-key export from the keychain, so it may prompt once) so both the
+                // .aspnet and Aspire caches are populated together.
+                ExportCertificate(certificate, onDiskPfxPath, includePrivateKey: true, password: null, CertificateKeyExportFormat.Pfx);
+            }
+
+            using var diskCert = X509CertificateLoader.LoadPkcs12FromFile(onDiskPfxPath, password: null, X509KeyStorageFlags.Exportable);
+            var aspireLookup = GetAspireCertificateHash(certificate);
+
+            CreateDirectoryWithPermissions(s_aspireDevCertsCacheDirectory);
+
+            ExportCertificate(diskCert, Path.Combine(s_aspireDevCertsCacheDirectory, $"{aspireLookup}.pfx"), includePrivateKey: true, null, CertificateKeyExportFormat.Pfx);
+
+            // Write PEM key cache — must match the format produced by DeveloperCertificateService.ExportKeyPem
+            using var key = diskCert.GetRSAPrivateKey();
+            if (key is not null)
+            {
+                var keyBytes = key.ExportPkcs8PrivateKey();
+                var pem = PemEncoding.Write("PRIVATE KEY", keyBytes);
+                Array.Clear(keyBytes, 0, keyBytes.Length);
+
+                var keyPath = Path.Combine(s_aspireDevCertsCacheDirectory, $"{aspireLookup}.key");
+                File.WriteAllBytes(keyPath, Encoding.UTF8.GetBytes(pem));
+                Array.Clear(pem, 0, pem.Length);
+            }
+        }
+        catch
+        {
+            // Best effort — the app host will fall back to accessing the keychain directly.
+        }
+    }
+
+    /// <summary>
+    /// Computes the Aspire hosting cache key for a certificate, matching the convention
+    /// used by <c>DeveloperCertificateService</c>: SHA256(thumbprint) as hex.
+    /// </summary>
+    private static string GetAspireCertificateHash(X509Certificate2 certificate) =>
+        Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes(certificate.Thumbprint)));
+
     protected override IList<X509Certificate2> GetCertificatesToRemove(StoreName storeName, StoreLocation storeLocation)
     {
         return ListCertificates(StoreName.My, StoreLocation.CurrentUser, isValid: false);

src/Aspire.Cli/Certificates/CertificateService.cs

@@ -3,7 +3,6 @@
 
 using System.Diagnostics;
 using System.Globalization;
-using System.Runtime.InteropServices;
 using Aspire.Cli.Interaction;
 using Aspire.Cli.Resources;
 using Aspire.Cli.Telemetry;
@@ -22,6 +21,21 @@ internal sealed class EnsureCertificatesTrustedResult
     /// to ensure certificates are properly trusted.
     /// </summary>
     public required IDictionary<string, string> EnvironmentVariables { get; init; }
+
+    /// <summary>
+    /// Gets whether the trust operation completed successfully.
+    /// </summary>
+    public required bool Success { get; init; }
+
+    /// <summary>
+    /// Gets whether the operation was cancelled by the user.
+    /// </summary>
+    public bool WasCancelled { get; init; }
+
+    /// <summary>
+    /// Gets the underlying result code from the certificate manager.
+    /// </summary>
+    public EnsureCertificateResult? ResultCode { get; init; }
 }
 
 internal interface ICertificateService
@@ -33,100 +47,79 @@ internal sealed class CertificateService(
     ICertificateToolRunner certificateToolRunner,
     IInteractionService interactionService,
     AspireCliTelemetry telemetry,
-    ICliHostEnvironment hostEnvironment,
-    Func<bool>? isNonInteractiveTrustSupported = null) : ICertificateService
+    ICliHostEnvironment hostEnvironment) : ICertificateService
 {
     private const string SslCertDirEnvVar = "SSL_CERT_DIR";
-    private readonly Func<bool> _isNonInteractiveTrustSupported = isNonInteractiveTrustSupported ?? OperatingSystem.IsLinux;
 
     public async Task<EnsureCertificatesTrustedResult> EnsureCertificatesTrustedAsync(CancellationToken cancellationToken)
     {
         using var activity = telemetry.StartDiagnosticActivity(kind: ActivityKind.Client);
 
         var environmentVariables = new Dictionary<string, string>();
 
-        // Use the machine-readable check (available in .NET 10 SDK which is the minimum required)
-        var trustResult = await CheckMachineReadableAsync();
-        await HandleMachineReadableTrustAsync(trustResult, environmentVariables);
-
-        return new EnsureCertificatesTrustedResult
-        {
-            EnvironmentVariables = environmentVariables
-        };
-    }
-
-    private async Task<CertificateTrustResult> CheckMachineReadableAsync()
-    {
-        var result = await interactionService.ShowStatusAsync(
-            InteractionServiceStrings.CheckingCertificates,
-            () => Task.FromResult(certificateToolRunner.CheckHttpCertificate()),
-            emoji: KnownEmojis.LockedWithKey);
-
-        return result;
-    }
-
-    private async Task HandleMachineReadableTrustAsync(
-        CertificateTrustResult trustResult,
-        Dictionary<string, string> environmentVariables)
-    {
-        // If fully trusted, nothing more to do
-        if (trustResult.IsFullyTrusted)
-        {
-            return;
-        }
+        // In non-interactive environments on macOS and Windows we can't successfully
+        // prompt for trust (macOS Keychain password, Windows trust dialog) and we also
+        // don't want to silently generate a new certificate that won't be trusted.
+        // Skip the trust attempt but still check the current state so we can warn when
+        // the environment does not already have a trusted certificate. Linux trust is
+        // non-interactive so it's safe to run the full flow there.
+        var canPerformTrust = hostEnvironment.SupportsInteractiveInput || OperatingSystem.IsLinux();
 
-        // If not trusted at all, run the trust operation
-        if (trustResult.IsNotTrusted)
+        if (!canPerformTrust)
         {
-            if (!hostEnvironment.SupportsInteractiveInput && !_isNonInteractiveTrustSupported())
+            var preCheck = certificateToolRunner.CheckHttpCertificate();
+            if (preCheck.IsPartiallyTrusted)
             {
-                // In non-interactive mode (e.g. CI), skip the trust operation on platforms
-                // where it requires user interaction (macOS Keychain password prompt, Windows
-                // certificate trust dialog). Linux trust is non-interactive, so it can proceed.
-                if (!trustResult.HasCertificates)
-                {
-                    var ensureResultCode = await interactionService.ShowStatusAsync(
-                        InteractionServiceStrings.CheckingCertificates,
-                        () => Task.FromResult(certificateToolRunner.EnsureHttpCertificateExists()),
-                        emoji: KnownEmojis.LockedWithKey);
-
-                    if (!IsSuccessfulEnsureResult(ensureResultCode))
-                    {
-                        interactionService.DisplayMessage(KnownEmojis.Warning, string.Format(CultureInfo.CurrentCulture, ErrorStrings.CertificatesMayNotBeFullyTrusted, ensureResultCode));
-                    }
-                }
-
-                return;
+                interactionService.DisplayMessage(KnownEmojis.Warning, ErrorStrings.CertificatesPartiallyTrustedNonInteractive);
             }
-
-            var trustResultCode = await interactionService.ShowStatusAsync(
-                InteractionServiceStrings.TrustingCertificates,
-                () => Task.FromResult(certificateToolRunner.TrustHttpCertificate()),
-                emoji: KnownEmojis.LockedWithKey);
-
-            if (trustResultCode == EnsureCertificateResult.UserCancelledTrustStep)
+            else if (!preCheck.IsFullyTrusted)
             {
-                interactionService.DisplayMessage(KnownEmojis.Warning, CertificatesCommandStrings.TrustCancelled);
+                interactionService.DisplayMessage(KnownEmojis.Warning, ErrorStrings.CertificatesNotTrustedNonInteractive);
             }
-            else if (!CertificateHelpers.IsSuccessfulTrustResult(trustResultCode))
+
+            if (preCheck.IsPartiallyTrusted && OperatingSystem.IsLinux())
             {
-                interactionService.DisplayMessage(KnownEmojis.Warning, string.Format(CultureInfo.CurrentCulture, ErrorStrings.CertificatesMayNotBeFullyTrusted, trustResultCode));
+                ConfigureSslCertDir(environmentVariables);
             }
 
-            // Re-check trust status after trust operation
-            trustResult = certificateToolRunner.CheckHttpCertificate();
+            return new EnsureCertificatesTrustedResult
+            {
+                EnvironmentVariables = environmentVariables,
+                Success = true
+            };
         }
 
-        // If partially trusted (either initially or after trust), configure SSL_CERT_DIR on Linux
-        if (trustResult.IsPartiallyTrusted && RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
+        // Always run trust so the Aspire cache stays populated even when the certificate
+        // is already trusted. Each platform's TrustCertificateCore short-circuits without
+        // prompting when the certificate is already in the trust store.
+        var trustResultCode = await interactionService.ShowStatusAsync(
+            InteractionServiceStrings.TrustingCertificates,
+            () => Task.FromResult(certificateToolRunner.TrustHttpCertificate()),
+            emoji: KnownEmojis.LockedWithKey);
+
+        if (trustResultCode == EnsureCertificateResult.UserCancelledTrustStep)
+        {
+            interactionService.DisplayMessage(KnownEmojis.Warning, CertificatesCommandStrings.TrustCancelled);
+        }
+        else if (!CertificateHelpers.IsSuccessfulTrustResult(trustResultCode))
+        {
+            interactionService.DisplayMessage(KnownEmojis.Warning, string.Format(CultureInfo.CurrentCulture, ErrorStrings.CertificatesMayNotBeFullyTrusted, trustResultCode));
+        }
+
+        var postTrustCheck = certificateToolRunner.CheckHttpCertificate();
+        if (postTrustCheck.IsPartiallyTrusted && OperatingSystem.IsLinux())
         {
             ConfigureSslCertDir(environmentVariables);
         }
-    }
 
-    private static bool IsSuccessfulEnsureResult(EnsureCertificateResult result) =>
-        result is EnsureCertificateResult.Succeeded
-            or EnsureCertificateResult.ValidCertificatePresent;
+        return new EnsureCertificatesTrustedResult
+        {
+            EnvironmentVariables = environmentVariables,
+            Success = CertificateHelpers.IsSuccessfulTrustResult(trustResultCode),
+            WasCancelled = trustResultCode == EnsureCertificateResult.UserCancelledTrustStep,
+            ResultCode = trustResultCode
+        };
+    }
 
     private static void ConfigureSslCertDir(Dictionary<string, string> environmentVariables)
     {
@@ -158,7 +151,6 @@ private static void ConfigureSslCertDir(Dictionary<string, string> environmentVa
             environmentVariables[SslCertDirEnvVar] = string.Join(Path.PathSeparator, systemCertDirs);
         }
     }
-
 }
 
 internal sealed class CertificateServiceException(string message) : Exception(message)

src/Aspire.Cli/Certificates/ICertificateToolRunner.cs

@@ -15,11 +15,6 @@ internal interface ICertificateToolRunner
     /// </summary>
     CertificateTrustResult CheckHttpCertificate();
 
-    /// <summary>
-    /// Ensures the HTTPS development certificate exists without trusting it.
-    /// </summary>
-    EnsureCertificateResult EnsureHttpCertificateExists();
-
     /// <summary>
     /// Trusts the HTTPS development certificate, creating one if necessary.
     /// </summary>

src/Aspire.Cli/Certificates/NativeCertificateToolRunner.cs

@@ -86,16 +86,6 @@ public EnsureCertificateResult TrustHttpCertificate()
             trust: true);
     }
 
-    public EnsureCertificateResult EnsureHttpCertificateExists()
-    {
-        var now = DateTimeOffset.Now;
-        return certificateManager.EnsureAspNetCoreHttpsDevelopmentCertificate(
-            now,
-            now.Add(TimeSpan.FromDays(365)),
-            trust: false,
-            isInteractive: false);
-    }
-
     internal EnsureCertificateResult TrustHttpCertificateOnLinux(IEnumerable<X509Certificate2> availableCertificates, DateTimeOffset now)
     {
         X509Certificate2? certificate = null;