diff --git a/.gitignore b/.gitignore index 373b232..20b3ba1 100644 --- a/.gitignore +++ b/.gitignore @@ -44,33 +44,3 @@ /dotnet-8.0.5.tar.gz.sig /dotnet-8.0.7.tar.gz /dotnet-8.0.7.tar.gz.sig -/dotnet-8.0.8.tar.gz -/dotnet-8.0.8.tar.gz.sig -/dotnet-8.0.10.tar.gz -/dotnet-8.0.10.tar.gz.sig -/dotnet-8.0.11.tar.gz -/dotnet-8.0.11.tar.gz.sig -/dotnet-8.0.12.tar.gz -/dotnet-8.0.12.tar.gz.sig -/dotnet-8.0.13.tar.gz -/dotnet-8.0.13.tar.gz.sig -/dotnet-8.0.14.tar.gz -/dotnet-8.0.14.tar.gz.sig -/dotnet-8.0.15.tar.gz -/dotnet-8.0.15.tar.gz.sig -/dotnet-8.0.16.tar.gz -/dotnet-8.0.16.tar.gz.sig -/dotnet-8.0.17.tar.gz -/dotnet-8.0.17.tar.gz.sig -/dotnet-8.0.18.tar.gz -/dotnet-8.0.18.tar.gz.sig -/dotnet-8.0.119.tar.gz -/dotnet-8.0.119.tar.gz.sig -/dotnet-8.0.120.tar.gz -/dotnet-8.0.120.tar.gz.sig -/dotnet-8.0.121.tar.gz -/dotnet-8.0.121.tar.gz.sig -/dotnet-8.0.122.tar.gz -/dotnet-8.0.122.tar.gz.sig -/dotnet-8.0.123.tar.gz -/dotnet-8.0.123.tar.gz.sig diff --git a/dotnet8.0.spec b/dotnet8.0.spec index 6cc1b3a..c87496f 100644 --- a/dotnet8.0.spec +++ b/dotnet8.0.spec @@ -8,20 +8,16 @@ %global dotnetver 8.0 -# Only the package for the latest dotnet version should provide RPMs like -# dotnet-host and netstandard-targeting-pack-2.1 -%global is_latest_dotnet 0 - -%global host_version 8.0.23 -%global runtime_version 8.0.23 +%global host_version 8.0.7 +%global runtime_version 8.0.7 %global aspnetcore_runtime_version %{runtime_version} -%global sdk_version 8.0.123 +%global sdk_version 8.0.107 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|') %global templates_version %{runtime_version} #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }') # upstream can produce releases with a different tag than the SDK version -%global upstream_tag v%{sdk_version} +%global upstream_tag v%{runtime_version} %global upstream_tag_without_v %(echo %{upstream_tag} | sed -e 's|^v||') %global host_rpm_version %{host_version} @@ -29,7 +25,15 @@ %global aspnetcore_runtime_rpm_version %{aspnetcore_runtime_version} %global sdk_rpm_version %{sdk_version} +%if 0%{?fedora} || 0%{?rhel} < 8 +%global use_bundled_libunwind 0 +%else %global use_bundled_libunwind 1 +%endif + +%ifarch aarch64 ppc64le s390x +%global use_bundled_libunwind 1 +%endif %ifarch aarch64 %global runtime_arch arm64 @@ -88,25 +92,14 @@ Patch2: vstest-intent-net8.0.patch Patch3: runtime-re-enable-implicit-rejection.patch # https://github.com/dotnet/msbuild/pull/9449 Patch4: msbuild-9449-exec-stop-setting-a-locale.patch -# We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed. -# A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message -# digests used for the signature are not treated as fatal errors. -# https://issues.redhat.com/browse/RHEL-25254 -Patch5: runtime-openssl-sha1.patch -# https://github.com/dotnet/runtime/issues/119706#issuecomment-3292624673 -Patch6: runtime-119706-clang-21.patch -# TODO send upstream -Patch7: runtime-clang-20-support.patch +# https://github.com/dotnet/runtime/pull/104994 +Patch5: runtime-104994-openssl-engine.patch ExclusiveArch: aarch64 ppc64le s390x x86_64 -%if 0%{?fedora} >= 43 -BuildRequires: clang20 -%else BuildRequires: clang -%endif BuildRequires: cmake BuildRequires: coreutils %if %{without bootstrap} @@ -396,9 +389,7 @@ applications using the .NET SDK. %dotnet_targeting_pack dotnet-apphost-pack-%{dotnetver} %{runtime_rpm_version} Microsoft.NETCore.App %{dotnetver} Microsoft.NETCore.App.Host.%{runtime_id} %dotnet_targeting_pack dotnet-targeting-pack-%{dotnetver} %{runtime_rpm_version} Microsoft.NETCore.App %{dotnetver} Microsoft.NETCore.App.Ref %dotnet_targeting_pack aspnetcore-targeting-pack-%{dotnetver} %{aspnetcore_runtime_rpm_version} Microsoft.AspNetCore.App %{dotnetver} Microsoft.AspNetCore.App.Ref -%if %{is_latest_dotnet} %dotnet_targeting_pack netstandard-targeting-pack-2.1 %{sdk_rpm_version} NETStandard.Library 2.1 NETStandard.Library.Ref -%endif %package -n dotnet-sdk-%{dotnetver}-source-built-artifacts @@ -534,14 +525,6 @@ CXXFLAGS=$(echo $CXXFLAGS | sed -e 's/ -march=z13//') CXXFLAGS=$(echo $CXXFLAGS | sed -e 's/ -mtune=z14//') %endif -%if 0%{?rhel} >= 10 -# Workaround for https://github.com/dotnet/runtime/issues/109611 -# FIXME: Remove this, and replace with upstream fix -CFLAGS=$(echo $CFLAGS | sed -e 's/-march=x86-64-v3 //') -CXXFLAGS=$(echo $CXXFLAGS | sed -e 's/-march=x86-64-v3 //') -LDFLAGS=$(echo $LDFLAGS | sed -e 's/-march=x86-64-v3 //') -%endif - export EXTRA_CFLAGS="$CFLAGS" export EXTRA_CXXFLAGS="$CXXFLAGS" export EXTRA_LDFLAGS="$LDFLAGS" @@ -551,28 +534,7 @@ export EXTRA_LDFLAGS="$LDFLAGS" # suggested compile-time change doesn't work, unfortunately. export COMPlus_LTTng=0 -%ifarch ppc64le s390x -max_attempts=3 -%else -max_attempts=1 -%endif - -function retry_until_success { - local exit_code=1 - local tries=$1 - shift - set +e - while [[ $exit_code != 0 ]] && [[ $tries != 0 ]]; do - (( tries = tries - 1 )) - "$@" - exit_code=$? - done - set -e - return $exit_code -} - -VERBOSE=1 retry_until_success $max_attempts \ - timeout 5h \ +VERBOSE=1 timeout 5h \ ./build.sh \ %if %{without bootstrap} --with-sdk previously-built-dotnet \ @@ -634,7 +596,6 @@ find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.targets' -exec chmod -x {} find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.txt' -exec chmod -x {} \; find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.xml' -exec chmod -x {} \; -%if %{is_latest_dotnet} install -dm 0755 %{buildroot}%{_sysconfdir}/profile.d/ install dotnet.sh %{buildroot}%{_sysconfdir}/profile.d/ @@ -659,7 +620,6 @@ echo "%{_libdir}/dotnet" >> install_location install install_location %{buildroot}%{_sysconfdir}/dotnet/ echo "%{_libdir}/dotnet" >> install_location_%{runtime_arch} install install_location_%{runtime_arch} %{buildroot}%{_sysconfdir}/dotnet/ -%endif install -dm 0755 %{buildroot}%{_libdir}/dotnet/source-built-artifacts install -m 0644 artifacts/%{runtime_arch}/Release/Private.SourceBuilt.Artifacts.*.tar.gz %{buildroot}/%{_libdir}/dotnet/source-built-artifacts/ @@ -685,22 +645,6 @@ find %{buildroot}%{_libdir}/dotnet/sdk -type d | tail -n +2 | sed -E 's|%{buildr find %{buildroot}%{_libdir}/dotnet/sdk -type f -and -not -name '*.pdb' | sed -E 's|%{buildroot}||' >> dotnet-sdk-non-dbg-files find %{buildroot}%{_libdir}/dotnet/sdk -type f -name '*.pdb' | sed -E 's|%{buildroot}||' > dotnet-sdk-dbg-files -%if %{is_latest_dotnet} == 0 -# If this is an older version, self-test now, before we delete files. After we -# delete files, we will not have everything we need to self-test in %%check. -%{buildroot}%{_libdir}/dotnet/dotnet --info -%{buildroot}%{_libdir}/dotnet/dotnet --version - -# Provided by dotnet-host from another SRPM -rm %{buildroot}%{_libdir}/dotnet/LICENSE.txt -rm %{buildroot}%{_libdir}/dotnet/ThirdPartyNotices.txt -rm %{buildroot}%{_libdir}/dotnet/dotnet -# Provided by netstandard-targeting-pack-2.1 from another SRPM -rm -rf %{buildroot}%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0 -rm %{buildroot}%{_rpmmacrodir}/macros.dotnet -%endif - - %check %if 0%{?fedora} > 35 @@ -708,10 +652,8 @@ rm %{buildroot}%{_rpmmacrodir}/macros.dotnet export COMPlus_LTTng=0 %endif -%if %{is_latest_dotnet} %{buildroot}%{_libdir}/dotnet/dotnet --info %{buildroot}%{_libdir}/dotnet/dotnet --version -%endif %if ( 0%{?fedora} && 0%{?fedora} < 38 ) || ( 0%{?rhel} && 0%{?rhel} < 9 ) @@ -719,7 +661,6 @@ export COMPlus_LTTng=0 # empty package useful for dependencies %endif -%if %{is_latest_dotnet} %files -n dotnet-host %dir %{_libdir}/dotnet %{_libdir}/dotnet/dotnet @@ -736,7 +677,6 @@ export COMPlus_LTTng=0 %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/dotnet %{_rpmmacrodir}/macros.dotnet -%endif %files -n dotnet-hostfxr-%{dotnetver} %dir %{_libdir}/dotnet/host/fxr @@ -779,70 +719,6 @@ export COMPlus_LTTng=0 %changelog -* Tue Jan 13 2026 Omair Majid - 8.0.123-1 -- Update to .NET SDK 8.0.123 and Runtime 8.0.23 - -* Mon Nov 17 2025 Omair Majid - 8.0.122-1 -- Update to .NET SDK 8.0.122 and Runtime 8.0.22 - -* Thu Oct 30 2025 Omair Majid - 8.0.121-1 -- Update to .NET SDK 8.0.121 and Runtime 8.0.21 - -* Tue Oct 28 2025 Omair Majid - 8.0.120-2 -- Don't use clang 21 - -* Wed Sep 10 2025 Omair Majid - 8.0.120-1 -- Update to .NET SDK 8.0.120 and Runtime 8.0.20 - -* Wed Aug 06 2025 Omair Majid - 8.0.119-1 -- Update to .NET SDK 8.0.119 and Runtime 8.0.19 - -* Wed Jul 23 2025 Fedora Release Engineering - 8.0.118-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Tue Jul 08 2025 Omair Majid - 8.0.118-1 -- Update to .NET SDK 8.0.118 and Runtime 8.0.18 - -* Tue Jun 10 2025 Omair Majid - 8.0.117-1 -- Update to .NET SDK 8.0.117 and Runtime 8.0.17 - -* Tue May 13 2025 Omair Majid - 8.0.116-1 -- Update to .NET SDK 8.0.116 and Runtime 8.0.16 - -* Wed Apr 09 2025 Omair Majid - 8.0.115-1 -- Update to .NET SDK 8.0.115 and Runtime 8.0.15 - -* Tue Mar 11 2025 Omair Majid - 8.0.114-1 -- Update to .NET SDK 8.0.114 and Runtime 8.0.14 - -* Mon Feb 17 2025 Omair Majid - 8.0.113-1 -- Update to .NET SDK 8.0.113 and Runtime 8.0.13 - -* Thu Jan 16 2025 Omair Majid - 8.0.112-1 -- Update to .NET SDK 8.0.112 and Runtime 8.0.12 - -* Thu Jan 16 2025 Fedora Release Engineering -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Tue Dec 10 2024 Omair Majid - 8.0.111-2 -- Fix ELN build -- Resolves: RHBZ#2321109 - -* Mon Nov 18 2024 Omair Majid - 8.0.111-1 -- Update to .NET SDK 8.0.111 and Runtime 8.0.11 - -* Fri Oct 11 2024 Omair Majid - 8.0.110-1 -- Update to .NET SDK 8.0.110 and Runtime 8.0.10 - -* Fri Sep 27 2024 Omair Majid - 8.0.108-2 -- Support building without ENGINE support in OpenSSL - -* Tue Aug 13 2024 Omair Majid - 8.0.108-1 -- Update to .NET SDK 8.0.108 and Runtime 8.0.8 - -* Wed Jul 17 2024 Fedora Release Engineering - 8.0.107-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - * Tue Jul 09 2024 Omair Majid - 8.0.107-1 - Update to .NET SDK 8.0.107 and Runtime 8.0.7 diff --git a/gating.yaml b/gating.yaml index 6b6a8a9..b7ab3d1 100644 --- a/gating.yaml +++ b/gating.yaml @@ -20,3 +20,4 @@ product_versions: decision_context: osci_compose_gate rules: - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.other-archs.functional} diff --git a/release.json b/release.json index 15390f5..72a9adc 100644 --- a/release.json +++ b/release.json @@ -1,10 +1,10 @@ { - "release": "8.0.23", + "release": "8.0.7", "channel": "8.0", - "tag": "v8.0.123", - "sdkVersion": "8.0.123", - "runtimeVersion": "8.0.23", - "aspNetCoreVersion": "8.0.23", + "tag": "v8.0.7", + "sdkVersion": "8.0.107", + "runtimeVersion": "8.0.7", + "aspNetCoreVersion": "8.0.7", "sourceRepository": "https://github.com/dotnet/dotnet", - "sourceVersion": "fafff0660ef23ca2ece1444119524a76e0f4d4a4" + "sourceVersion": "8be139ddde52d33e24c7d82f813248ff9fc54b97" } diff --git a/runtime-104994-openssl-engine.patch b/runtime-104994-openssl-engine.patch new file mode 100644 index 0000000..488c93a --- /dev/null +++ b/runtime-104994-openssl-engine.patch @@ -0,0 +1,324 @@ +From 5eb7fd1d9909c3824caba0bc6a3f376557961aef Mon Sep 17 00:00:00 2001 +From: Kevin Jones +Date: Tue, 16 Jul 2024 16:56:59 -0400 +Subject: [PATCH 1/2] Light up support for OpenSSL ENGINEs only if they are + available. + +Some Linux distributions are phasing out support for OpenSSL 1.x ENGINEs. They are doing this by moving the header, `engine.h`, to a separate package or removing the header entirely. The actual OpenSSL shared libraries still contain the engine APIs. This makes the change an API, not ABI, break. + +We react to this by disabling OpenSSL engine support on non-portable builds that are missing the engine header. Portable builds will continue to probe the loaded OpenSSL library for support, and non-portable builds will only support ENGINEs if the header is present. +--- + .../Interop.EvpPkey.cs | 22 +++++-- + .../src/Resources/Strings.resx | 3 + + .../configure.cmake | 6 ++ + .../opensslshim.h | 36 ++++++++-- + .../pal_crypto_config.h.in | 1 + + .../pal_evp_pkey.c | 65 ++++++++++++++----- + .../pal_evp_pkey.h | 6 +- + 7 files changed, 109 insertions(+), 30 deletions(-) + +diff --git a/src/runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs b/src/runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs +index 77b80634bd0ce..4e8659b5653b7 100644 +--- a/src/runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs ++++ b/src/runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs +@@ -217,7 +217,8 @@ internal static ArraySegment RentEncodeSubjectPublicKeyInfo(SafeEvpPKeyHan + [LibraryImport(Libraries.CryptoNative, StringMarshalling = StringMarshalling.Utf8)] + private static partial SafeEvpPKeyHandle CryptoNative_LoadPrivateKeyFromEngine( + string engineName, +- string keyName); ++ string keyName, ++ [MarshalAs(UnmanagedType.Bool)] out bool haveEngine); + + internal static SafeEvpPKeyHandle LoadPrivateKeyFromEngine( + string engineName, +@@ -226,7 +227,13 @@ internal static SafeEvpPKeyHandle LoadPrivateKeyFromEngine( + Debug.Assert(engineName is not null); + Debug.Assert(keyName is not null); + +- SafeEvpPKeyHandle pkey = CryptoNative_LoadPrivateKeyFromEngine(engineName, keyName); ++ SafeEvpPKeyHandle pkey = CryptoNative_LoadPrivateKeyFromEngine(engineName, keyName, out bool haveEngine); ++ ++ if (!haveEngine) ++ { ++ pkey.Dispose(); ++ throw new CryptographicException(SR.Cryptography_EnginesNotSupported); ++ } + + if (pkey.IsInvalid) + { +@@ -240,7 +247,8 @@ internal static SafeEvpPKeyHandle LoadPrivateKeyFromEngine( + [LibraryImport(Libraries.CryptoNative, StringMarshalling = StringMarshalling.Utf8)] + private static partial SafeEvpPKeyHandle CryptoNative_LoadPublicKeyFromEngine( + string engineName, +- string keyName); ++ string keyName, ++ [MarshalAs(UnmanagedType.Bool)] out bool haveEngine); + + internal static SafeEvpPKeyHandle LoadPublicKeyFromEngine( + string engineName, +@@ -249,7 +257,13 @@ internal static SafeEvpPKeyHandle LoadPublicKeyFromEngine( + Debug.Assert(engineName is not null); + Debug.Assert(keyName is not null); + +- SafeEvpPKeyHandle pkey = CryptoNative_LoadPublicKeyFromEngine(engineName, keyName); ++ SafeEvpPKeyHandle pkey = CryptoNative_LoadPublicKeyFromEngine(engineName, keyName, out bool haveEngine); ++ ++ if (!haveEngine) ++ { ++ pkey.Dispose(); ++ throw new CryptographicException(SR.Cryptography_EnginesNotSupported); ++ } + + if (pkey.IsInvalid) + { +diff --git a/src/runtime/src/libraries/System.Security.Cryptography/src/Resources/Strings.resx b/src/runtime/src/libraries/System.Security.Cryptography/src/Resources/Strings.resx +index 4bcfdcfd3454f..5cc5cce830a35 100644 +--- a/src/runtime/src/libraries/System.Security.Cryptography/src/Resources/Strings.resx ++++ b/src/runtime/src/libraries/System.Security.Cryptography/src/Resources/Strings.resx +@@ -327,6 +327,9 @@ + + {0} unexpectedly produced a ciphertext with the incorrect length. + ++ ++ OpenSSL ENGINE is not available on this platform. ++ + + The total number of bytes extracted cannot exceed UInt32.MaxValue * hash length. + +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake b/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake +index 74ed49f5d1916..10a6b986268b0 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake +@@ -1,5 +1,6 @@ + include(CheckLibraryExists) + include(CheckFunctionExists) ++include(CheckSourceCompiles) + + set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) + set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY} ${OPENSSL_SSL_LIBRARY}) +@@ -22,6 +23,11 @@ check_function_exists( + HAVE_OPENSSL_SHA3 + ) + ++check_source_compiles(C " ++#include ++int main(void) { ENGINE_init(NULL); return 1; }" ++HAVE_OPENSSL_ENGINE) ++ + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/pal_crypto_config.h.in + ${CMAKE_CURRENT_BINARY_DIR}/pal_crypto_config.h) +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +index 57ba6a6809649..3d6d77895b64f 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +@@ -17,7 +17,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -46,6 +45,11 @@ + #include + #endif + ++#if HAVE_OPENSSL_ENGINE ++// Some Linux distributions build without engine support. ++#include ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_1_RTM + #define HAVE_OPENSSL_SET_CIPHERSUITES 1 + #else +@@ -168,6 +172,24 @@ const EVP_MD *EVP_shake256(void); + int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + #endif + ++#if !HAVE_OPENSSL_ENGINE ++#undef HAVE_OPENSSL_ENGINE ++#define HAVE_OPENSSL_ENGINE 1 ++ ++ENGINE *ENGINE_by_id(const char *id); ++int ENGINE_init(ENGINE *e); ++int ENGINE_finish(ENGINE *e); ++ENGINE *ENGINE_new(void); ++int ENGINE_free(ENGINE *e); ++typedef EVP_PKEY *(*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *, ++ UI_METHOD *ui_method, ++ void *callback_data); ++EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, ++ UI_METHOD *ui_method, void *callback_data); ++EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, ++ UI_METHOD *ui_method, void *callback_data); ++#endif ++ + #define API_EXISTS(fn) (fn != NULL) + + // List of all functions from the libssl that are used in the System.Security.Cryptography.Native. +@@ -298,12 +320,12 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + REQUIRED_FUNCTION(EC_POINT_mul) \ + REQUIRED_FUNCTION(EC_POINT_new) \ + REQUIRED_FUNCTION(EC_POINT_set_affine_coordinates_GFp) \ +- REQUIRED_FUNCTION(ENGINE_by_id) \ +- REQUIRED_FUNCTION(ENGINE_finish) \ +- REQUIRED_FUNCTION(ENGINE_free) \ +- REQUIRED_FUNCTION(ENGINE_init) \ +- REQUIRED_FUNCTION(ENGINE_load_public_key) \ +- REQUIRED_FUNCTION(ENGINE_load_private_key) \ ++ LIGHTUP_FUNCTION(ENGINE_by_id) \ ++ LIGHTUP_FUNCTION(ENGINE_finish) \ ++ LIGHTUP_FUNCTION(ENGINE_free) \ ++ LIGHTUP_FUNCTION(ENGINE_init) \ ++ LIGHTUP_FUNCTION(ENGINE_load_public_key) \ ++ LIGHTUP_FUNCTION(ENGINE_load_private_key) \ + REQUIRED_FUNCTION(ERR_clear_error) \ + REQUIRED_FUNCTION(ERR_error_string_n) \ + REQUIRED_FUNCTION(ERR_get_error) \ +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in +index d7aef5a7d1b67..30d1219eb98b0 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in +@@ -4,3 +4,4 @@ + #cmakedefine01 HAVE_OPENSSL_ALPN + #cmakedefine01 HAVE_OPENSSL_CHACHA20POLY1305 + #cmakedefine01 HAVE_OPENSSL_SHA3 ++#cmakedefine01 HAVE_OPENSSL_ENGINE +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c +index 80183b97a77c9..dea4f277b8969 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c +@@ -511,41 +511,72 @@ int32_t CryptoNative_EncodeSubjectPublicKeyInfo(EVP_PKEY* pkey, uint8_t* buf) + return i2d_PUBKEY(pkey, &buf); + } + ++#if HAVE_OPENSSL_ENGINE + static EVP_PKEY* LoadKeyFromEngine( + const char* engineName, + const char* keyName, +- ENGINE_LOAD_KEY_PTR load_func) ++ ENGINE_LOAD_KEY_PTR load_func, ++ int32_t* haveEngine) + { ++ assert(haveEngine); + ERR_clear_error(); + +- EVP_PKEY* ret = NULL; +- ENGINE* engine = NULL; ++ if (API_EXISTS(ENGINE_by_id) && API_EXISTS(ENGINE_init) && API_EXISTS(ENGINE_finish) && API_EXISTS(ENGINE_free)) ++ { ++ *haveEngine = 1; ++ EVP_PKEY* ret = NULL; ++ ENGINE* engine = NULL; + +- // Per https://github.com/openssl/openssl/discussions/21427 +- // using EVP_PKEY after freeing ENGINE is correct. +- engine = ENGINE_by_id(engineName); ++ // Per https://github.com/openssl/openssl/discussions/21427 ++ // using EVP_PKEY after freeing ENGINE is correct. ++ engine = ENGINE_by_id(engineName); + +- if (engine != NULL) +- { +- if (ENGINE_init(engine)) ++ if (engine != NULL) + { +- ret = load_func(engine, keyName, NULL, NULL); ++ if (ENGINE_init(engine)) ++ { ++ ret = load_func(engine, keyName, NULL, NULL); ++ ++ ENGINE_finish(engine); ++ } + +- ENGINE_finish(engine); ++ ENGINE_free(engine); + } + +- ENGINE_free(engine); ++ return ret; + } + +- return ret; ++ *haveEngine = 0; ++ return NULL; + } ++#endif + +-EVP_PKEY* CryptoNative_LoadPrivateKeyFromEngine(const char* engineName, const char* keyName) ++EVP_PKEY* CryptoNative_LoadPrivateKeyFromEngine(const char* engineName, const char* keyName, int32_t* haveEngine) + { +- return LoadKeyFromEngine(engineName, keyName, ENGINE_load_private_key); ++#if HAVE_OPENSSL_ENGINE ++ if (API_EXISTS(ENGINE_load_private_key)) ++ { ++ return LoadKeyFromEngine(engineName, keyName, ENGINE_load_private_key, haveEngine); ++ } ++#endif ++ (void)engineName; ++ (void)keyName; ++ (void)haveEngine; ++ *haveEngine = 0; ++ return NULL; + } + +-EVP_PKEY* CryptoNative_LoadPublicKeyFromEngine(const char* engineName, const char* keyName) ++EVP_PKEY* CryptoNative_LoadPublicKeyFromEngine(const char* engineName, const char* keyName, int32_t* haveEngine) + { +- return LoadKeyFromEngine(engineName, keyName, ENGINE_load_public_key); ++#if HAVE_OPENSSL_ENGINE ++ if (API_EXISTS(ENGINE_load_private_key)) ++ { ++ return LoadKeyFromEngine(engineName, keyName, ENGINE_load_public_key, haveEngine); ++ } ++#endif ++ (void)engineName; ++ (void)keyName; ++ (void)haveEngine; ++ *haveEngine = 0; ++ return NULL; + } +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.h +index 64d289dc6f488..e4d5f85d4b9ec 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.h ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.h +@@ -93,12 +93,14 @@ PALEXPORT int32_t CryptoNative_EncodeSubjectPublicKeyInfo(EVP_PKEY* pkey, uint8_ + Load a named key, via ENGINE_load_private_key, from the named engine. + + Returns a valid EVP_PKEY* on success, NULL on failure. ++haveEngine is 1 if OpenSSL ENGINE's are supported, otherwise 0. + */ +-PALEXPORT EVP_PKEY* CryptoNative_LoadPrivateKeyFromEngine(const char* engineName, const char* keyName); ++PALEXPORT EVP_PKEY* CryptoNative_LoadPrivateKeyFromEngine(const char* engineName, const char* keyName, int32_t* haveEngine); + + /* + Load a named key, via ENGINE_load_public_key, from the named engine. + + Returns a valid EVP_PKEY* on success, NULL on failure. ++haveEngine is 1 if OpenSSL ENGINE's are supported, otherwise 0. + */ +-PALEXPORT EVP_PKEY* CryptoNative_LoadPublicKeyFromEngine(const char* engineName, const char* keyName); ++PALEXPORT EVP_PKEY* CryptoNative_LoadPublicKeyFromEngine(const char* engineName, const char* keyName, int32_t* haveEngine); + +From c81f7a8f5000151edfac9f9d891121a01a64f1ba Mon Sep 17 00:00:00 2001 +From: Kevin Jones +Date: Wed, 17 Jul 2024 07:47:53 -0400 +Subject: [PATCH 2/2] Fix detection of ENGINE APIs with OpenSSL 3 + +--- + .../libs/System.Security.Cryptography.Native/configure.cmake | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake b/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake +index 10a6b986268b0..4a70e70899c5e 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake +@@ -4,6 +4,7 @@ include(CheckSourceCompiles) + + set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) + set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY} ${OPENSSL_SSL_LIBRARY}) ++set(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L) + + check_function_exists( + EC_GF2m_simple_method diff --git a/runtime-119706-clang-21.patch b/runtime-119706-clang-21.patch deleted file mode 100644 index 9d97b4a..0000000 --- a/runtime-119706-clang-21.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git dotnet/src/runtime/eng/native/configurecompiler.cmake dotnet/src/runtime/eng/native/configurecompiler.cmake -index d54d9b6803b..9438cb5af7e 100644 ---- dotnet/src/runtime/eng/native/configurecompiler.cmake -+++ dotnet/src/runtime/eng/native/configurecompiler.cmake -@@ -574,6 +574,7 @@ if (CLR_CMAKE_HOST_UNIX OR CLR_CMAKE_HOST_WASI) - add_compile_options(-Wno-unused-function) - add_compile_options(-Wno-tautological-compare) - add_compile_options(-Wno-unknown-pragmas) -+ add_compile_options(-Wno-c++-compat) - - # Explicitly enabled warnings - check_c_compiler_flag(-Wimplicit-fallthrough COMPILER_SUPPORTS_W_IMPLICIT_FALLTHROUGH) -diff --git dotnet/src/runtime/src/coreclr/pal/prebuilt/inc/cordebug.h dotnet/src/runtime/src/coreclr/pal/prebuilt/inc/cordebug.h -index 78b86c69ee9..1672d602d99 100644 ---- dotnet/src/runtime/src/coreclr/pal/prebuilt/inc/cordebug.h -+++ dotnet/src/runtime/src/coreclr/pal/prebuilt/inc/cordebug.h -@@ -10036,6 +10036,7 @@ EXTERN_C const IID IID_ICorDebugRegisterSet2; - typedef - enum CorDebugUserState - { -+ CORDEBUG_INVALID = -1, - USER_STOP_REQUESTED = 0x1, - USER_SUSPEND_REQUESTED = 0x2, - USER_BACKGROUND = 0x4, diff --git a/runtime-clang-20-support.patch b/runtime-clang-20-support.patch deleted file mode 100644 index bffcf79..0000000 --- a/runtime-clang-20-support.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- a/eng/common/native/init-compiler.sh -+++ b/eng/common/native/init-compiler.sh -@@ -63,7 +63,7 @@ - # Set default versions - if [ -z "$majorVersion" ]; then - # note: gcc (all versions) and clang versions higher than 6 do not have minor version in file name, if it is zero. -- if [ "$compiler" = "clang" ]; then versions="18 17 16 15 14 13 12 11 10 9 8 7 6.0 5.0 4.0 3.9 3.8 3.7 3.6 3.5" -+ if [ "$compiler" = "clang" ]; then versions="20 19 18 17 16 15 14 13 12 11 10 9 8 7 6.0 5.0 4.0 3.9 3.8 3.7 3.6 3.5" - elif [ "$compiler" = "gcc" ]; then versions="13 12 11 10 9 8 7 6 5 4.9"; fi - - for version in $versions; do ---- a/src/runtime/eng/common/native/init-compiler.sh -+++ b/src/runtime/eng/common/native/init-compiler.sh -@@ -63,7 +63,7 @@ - # Set default versions - if [ -z "$majorVersion" ]; then - # note: gcc (all versions) and clang versions higher than 6 do not have minor version in file name, if it is zero. -- if [ "$compiler" = "clang" ]; then versions="18 17 16 15 14 13 12 11 10 9 8 7 6.0 5.0 4.0 3.9 3.8 3.7 3.6 3.5" -+ if [ "$compiler" = "clang" ]; then versions="20 19 18 17 16 15 14 13 12 11 10 9 8 7 6.0 5.0 4.0 3.9 3.8 3.7 3.6 3.5" - elif [ "$compiler" = "gcc" ]; then versions="13 12 11 10 9 8 7 6 5 4.9"; fi - - for version in $versions; do diff --git a/runtime-openssl-sha1.patch b/runtime-openssl-sha1.patch deleted file mode 100644 index 6e307ef..0000000 --- a/runtime-openssl-sha1.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001 -From: Tom Deseyn -Date: Wed, 28 Feb 2024 14:08:15 +0100 -Subject: [PATCH] Allow certificate validation with SHA-1 signatures. - -RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate -validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag -with a chain where the last certificate uses a SHA-1 signature. - -This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default -OpenSSL behavior for certificate validation. ---- - .../libs/System.Security.Cryptography.Native/pal_x509.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c -index 04c6ba06cd..2cd3413dae 100644 ---- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c -+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c -@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5 - - int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); - -- if (val != 0) -- { -- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE); -- } -- - return val; - } - --- -2.43.2 - diff --git a/sources b/sources index c823863..5ffd64a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dotnet-8.0.123.tar.gz) = 650372d872a91945b5b1f45a72a0fad97a068eec66add2278ae2cfe1196ca109e1c5d02eab389a28790b38f7dcee4731c165fade6c93849c4551b0b40055618c -SHA512 (dotnet-8.0.123.tar.gz.sig) = d5e88940fb4768674629b5b8fd321cee0432331da72397b226069320312b69deb9b06663f443fd2509e9a983a8360e64ee6e08d20008c48c77bb9ae35044b318 +SHA512 (dotnet-8.0.7.tar.gz) = 8fe67e9d5ebd79b82c3d99059bed8c933cea1802a622250f8dede24a9ed815c6764509b3f683187998e9ad1cd12699f28f4438d13eead2b744ea8e1751690198 +SHA512 (dotnet-8.0.7.tar.gz.sig) = 0c3327ac975b7540c74085a4716d47f171f19a7ceb8aff4d8b162c1e967259288dede73160064305afebbd01b15ea581d9dd65a779e9b995b201e07d6bd3109c diff --git a/tests/ci.fmf b/tests/ci.fmf index 44ebb2c..16657b9 100644 --- a/tests/ci.fmf +++ b/tests/ci.fmf @@ -1,9 +1,7 @@ summary: Basic smoke test provision: - hardware: - disk: - - size: ">= 20 GiB" - memory: ">= 5120 MiB" + disk: 20 + memory: 5120 prepare: how: install package: @@ -41,7 +39,3 @@ execute: - dotnet turkey/Turkey.dll --version - git clone "https://github.com/redhat-developer/dotnet-regular-tests.git" - dotnet turkey/Turkey.dll -l="$TMT_TEST_DATA" dotnet-regular-tests --timeout=1200 - - dnf remove -yq 'dotnet*' - - set -x; if command -v dotnet ; then exit 1; fi - - set -x; if [ -d /usr/lib64/dotnet ]; then exit 1; fi - - set -x; if man dotnet; then exit 1; fi diff --git a/update-release b/update-release index 36454b6..78d84ee 100755 --- a/update-release +++ b/update-release @@ -104,7 +104,7 @@ else cp -a "${user_provided_tarball_name}" "dotnet-${tag}.tar.gz" cp -a "${release_json}" release.json else - rm -f release.json + rm release.json spectool -g "$spec_file" fi fi