diff --git a/.gitignore b/.gitignore index 20b3ba1..373b232 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,33 @@ /dotnet-8.0.5.tar.gz.sig /dotnet-8.0.7.tar.gz /dotnet-8.0.7.tar.gz.sig +/dotnet-8.0.8.tar.gz +/dotnet-8.0.8.tar.gz.sig +/dotnet-8.0.10.tar.gz +/dotnet-8.0.10.tar.gz.sig +/dotnet-8.0.11.tar.gz +/dotnet-8.0.11.tar.gz.sig +/dotnet-8.0.12.tar.gz +/dotnet-8.0.12.tar.gz.sig +/dotnet-8.0.13.tar.gz +/dotnet-8.0.13.tar.gz.sig +/dotnet-8.0.14.tar.gz +/dotnet-8.0.14.tar.gz.sig +/dotnet-8.0.15.tar.gz +/dotnet-8.0.15.tar.gz.sig +/dotnet-8.0.16.tar.gz +/dotnet-8.0.16.tar.gz.sig +/dotnet-8.0.17.tar.gz +/dotnet-8.0.17.tar.gz.sig +/dotnet-8.0.18.tar.gz +/dotnet-8.0.18.tar.gz.sig +/dotnet-8.0.119.tar.gz +/dotnet-8.0.119.tar.gz.sig +/dotnet-8.0.120.tar.gz +/dotnet-8.0.120.tar.gz.sig +/dotnet-8.0.121.tar.gz +/dotnet-8.0.121.tar.gz.sig +/dotnet-8.0.122.tar.gz +/dotnet-8.0.122.tar.gz.sig +/dotnet-8.0.123.tar.gz +/dotnet-8.0.123.tar.gz.sig diff --git a/dotnet8.0.spec b/dotnet8.0.spec index c87496f..6cc1b3a 100644 --- a/dotnet8.0.spec +++ b/dotnet8.0.spec @@ -8,16 +8,20 @@ %global dotnetver 8.0 -%global host_version 8.0.7 -%global runtime_version 8.0.7 +# Only the package for the latest dotnet version should provide RPMs like +# dotnet-host and netstandard-targeting-pack-2.1 +%global is_latest_dotnet 0 + +%global host_version 8.0.23 +%global runtime_version 8.0.23 %global aspnetcore_runtime_version %{runtime_version} -%global sdk_version 8.0.107 +%global sdk_version 8.0.123 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|') %global templates_version %{runtime_version} #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }') # upstream can produce releases with a different tag than the SDK version -%global upstream_tag v%{runtime_version} +%global upstream_tag v%{sdk_version} %global upstream_tag_without_v %(echo %{upstream_tag} | sed -e 's|^v||') %global host_rpm_version %{host_version} @@ -25,15 +29,7 @@ %global aspnetcore_runtime_rpm_version %{aspnetcore_runtime_version} %global sdk_rpm_version %{sdk_version} -%if 0%{?fedora} || 0%{?rhel} < 8 -%global use_bundled_libunwind 0 -%else %global use_bundled_libunwind 1 -%endif - -%ifarch aarch64 ppc64le s390x -%global use_bundled_libunwind 1 -%endif %ifarch aarch64 %global runtime_arch arm64 @@ -92,14 +88,25 @@ Patch2: vstest-intent-net8.0.patch Patch3: runtime-re-enable-implicit-rejection.patch # https://github.com/dotnet/msbuild/pull/9449 Patch4: msbuild-9449-exec-stop-setting-a-locale.patch -# https://github.com/dotnet/runtime/pull/104994 -Patch5: runtime-104994-openssl-engine.patch +# We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed. +# A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message +# digests used for the signature are not treated as fatal errors. +# https://issues.redhat.com/browse/RHEL-25254 +Patch5: runtime-openssl-sha1.patch +# https://github.com/dotnet/runtime/issues/119706#issuecomment-3292624673 +Patch6: runtime-119706-clang-21.patch +# TODO send upstream +Patch7: runtime-clang-20-support.patch ExclusiveArch: aarch64 ppc64le s390x x86_64 +%if 0%{?fedora} >= 43 +BuildRequires: clang20 +%else BuildRequires: clang +%endif BuildRequires: cmake BuildRequires: coreutils %if %{without bootstrap} @@ -389,7 +396,9 @@ applications using the .NET SDK. %dotnet_targeting_pack dotnet-apphost-pack-%{dotnetver} %{runtime_rpm_version} Microsoft.NETCore.App %{dotnetver} Microsoft.NETCore.App.Host.%{runtime_id} %dotnet_targeting_pack dotnet-targeting-pack-%{dotnetver} %{runtime_rpm_version} Microsoft.NETCore.App %{dotnetver} Microsoft.NETCore.App.Ref %dotnet_targeting_pack aspnetcore-targeting-pack-%{dotnetver} %{aspnetcore_runtime_rpm_version} Microsoft.AspNetCore.App %{dotnetver} Microsoft.AspNetCore.App.Ref +%if %{is_latest_dotnet} %dotnet_targeting_pack netstandard-targeting-pack-2.1 %{sdk_rpm_version} NETStandard.Library 2.1 NETStandard.Library.Ref +%endif %package -n dotnet-sdk-%{dotnetver}-source-built-artifacts @@ -525,6 +534,14 @@ CXXFLAGS=$(echo $CXXFLAGS | sed -e 's/ -march=z13//') CXXFLAGS=$(echo $CXXFLAGS | sed -e 's/ -mtune=z14//') %endif +%if 0%{?rhel} >= 10 +# Workaround for https://github.com/dotnet/runtime/issues/109611 +# FIXME: Remove this, and replace with upstream fix +CFLAGS=$(echo $CFLAGS | sed -e 's/-march=x86-64-v3 //') +CXXFLAGS=$(echo $CXXFLAGS | sed -e 's/-march=x86-64-v3 //') +LDFLAGS=$(echo $LDFLAGS | sed -e 's/-march=x86-64-v3 //') +%endif + export EXTRA_CFLAGS="$CFLAGS" export EXTRA_CXXFLAGS="$CXXFLAGS" export EXTRA_LDFLAGS="$LDFLAGS" @@ -534,7 +551,28 @@ export EXTRA_LDFLAGS="$LDFLAGS" # suggested compile-time change doesn't work, unfortunately. export COMPlus_LTTng=0 -VERBOSE=1 timeout 5h \ +%ifarch ppc64le s390x +max_attempts=3 +%else +max_attempts=1 +%endif + +function retry_until_success { + local exit_code=1 + local tries=$1 + shift + set +e + while [[ $exit_code != 0 ]] && [[ $tries != 0 ]]; do + (( tries = tries - 1 )) + "$@" + exit_code=$? + done + set -e + return $exit_code +} + +VERBOSE=1 retry_until_success $max_attempts \ + timeout 5h \ ./build.sh \ %if %{without bootstrap} --with-sdk previously-built-dotnet \ @@ -596,6 +634,7 @@ find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.targets' -exec chmod -x {} find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.txt' -exec chmod -x {} \; find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.xml' -exec chmod -x {} \; +%if %{is_latest_dotnet} install -dm 0755 %{buildroot}%{_sysconfdir}/profile.d/ install dotnet.sh %{buildroot}%{_sysconfdir}/profile.d/ @@ -620,6 +659,7 @@ echo "%{_libdir}/dotnet" >> install_location install install_location %{buildroot}%{_sysconfdir}/dotnet/ echo "%{_libdir}/dotnet" >> install_location_%{runtime_arch} install install_location_%{runtime_arch} %{buildroot}%{_sysconfdir}/dotnet/ +%endif install -dm 0755 %{buildroot}%{_libdir}/dotnet/source-built-artifacts install -m 0644 artifacts/%{runtime_arch}/Release/Private.SourceBuilt.Artifacts.*.tar.gz %{buildroot}/%{_libdir}/dotnet/source-built-artifacts/ @@ -645,6 +685,22 @@ find %{buildroot}%{_libdir}/dotnet/sdk -type d | tail -n +2 | sed -E 's|%{buildr find %{buildroot}%{_libdir}/dotnet/sdk -type f -and -not -name '*.pdb' | sed -E 's|%{buildroot}||' >> dotnet-sdk-non-dbg-files find %{buildroot}%{_libdir}/dotnet/sdk -type f -name '*.pdb' | sed -E 's|%{buildroot}||' > dotnet-sdk-dbg-files +%if %{is_latest_dotnet} == 0 +# If this is an older version, self-test now, before we delete files. After we +# delete files, we will not have everything we need to self-test in %%check. +%{buildroot}%{_libdir}/dotnet/dotnet --info +%{buildroot}%{_libdir}/dotnet/dotnet --version + +# Provided by dotnet-host from another SRPM +rm %{buildroot}%{_libdir}/dotnet/LICENSE.txt +rm %{buildroot}%{_libdir}/dotnet/ThirdPartyNotices.txt +rm %{buildroot}%{_libdir}/dotnet/dotnet +# Provided by netstandard-targeting-pack-2.1 from another SRPM +rm -rf %{buildroot}%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0 +rm %{buildroot}%{_rpmmacrodir}/macros.dotnet +%endif + + %check %if 0%{?fedora} > 35 @@ -652,8 +708,10 @@ find %{buildroot}%{_libdir}/dotnet/sdk -type f -name '*.pdb' | sed -E 's|%{buil export COMPlus_LTTng=0 %endif +%if %{is_latest_dotnet} %{buildroot}%{_libdir}/dotnet/dotnet --info %{buildroot}%{_libdir}/dotnet/dotnet --version +%endif %if ( 0%{?fedora} && 0%{?fedora} < 38 ) || ( 0%{?rhel} && 0%{?rhel} < 9 ) @@ -661,6 +719,7 @@ export COMPlus_LTTng=0 # empty package useful for dependencies %endif +%if %{is_latest_dotnet} %files -n dotnet-host %dir %{_libdir}/dotnet %{_libdir}/dotnet/dotnet @@ -677,6 +736,7 @@ export COMPlus_LTTng=0 %dir %{_datadir}/bash-completion/completions %{_datadir}/bash-completion/completions/dotnet %{_rpmmacrodir}/macros.dotnet +%endif %files -n dotnet-hostfxr-%{dotnetver} %dir %{_libdir}/dotnet/host/fxr @@ -719,6 +779,70 @@ export COMPlus_LTTng=0 %changelog +* Tue Jan 13 2026 Omair Majid - 8.0.123-1 +- Update to .NET SDK 8.0.123 and Runtime 8.0.23 + +* Mon Nov 17 2025 Omair Majid - 8.0.122-1 +- Update to .NET SDK 8.0.122 and Runtime 8.0.22 + +* Thu Oct 30 2025 Omair Majid - 8.0.121-1 +- Update to .NET SDK 8.0.121 and Runtime 8.0.21 + +* Tue Oct 28 2025 Omair Majid - 8.0.120-2 +- Don't use clang 21 + +* Wed Sep 10 2025 Omair Majid - 8.0.120-1 +- Update to .NET SDK 8.0.120 and Runtime 8.0.20 + +* Wed Aug 06 2025 Omair Majid - 8.0.119-1 +- Update to .NET SDK 8.0.119 and Runtime 8.0.19 + +* Wed Jul 23 2025 Fedora Release Engineering - 8.0.118-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Tue Jul 08 2025 Omair Majid - 8.0.118-1 +- Update to .NET SDK 8.0.118 and Runtime 8.0.18 + +* Tue Jun 10 2025 Omair Majid - 8.0.117-1 +- Update to .NET SDK 8.0.117 and Runtime 8.0.17 + +* Tue May 13 2025 Omair Majid - 8.0.116-1 +- Update to .NET SDK 8.0.116 and Runtime 8.0.16 + +* Wed Apr 09 2025 Omair Majid - 8.0.115-1 +- Update to .NET SDK 8.0.115 and Runtime 8.0.15 + +* Tue Mar 11 2025 Omair Majid - 8.0.114-1 +- Update to .NET SDK 8.0.114 and Runtime 8.0.14 + +* Mon Feb 17 2025 Omair Majid - 8.0.113-1 +- Update to .NET SDK 8.0.113 and Runtime 8.0.13 + +* Thu Jan 16 2025 Omair Majid - 8.0.112-1 +- Update to .NET SDK 8.0.112 and Runtime 8.0.12 + +* Thu Jan 16 2025 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Tue Dec 10 2024 Omair Majid - 8.0.111-2 +- Fix ELN build +- Resolves: RHBZ#2321109 + +* Mon Nov 18 2024 Omair Majid - 8.0.111-1 +- Update to .NET SDK 8.0.111 and Runtime 8.0.11 + +* Fri Oct 11 2024 Omair Majid - 8.0.110-1 +- Update to .NET SDK 8.0.110 and Runtime 8.0.10 + +* Fri Sep 27 2024 Omair Majid - 8.0.108-2 +- Support building without ENGINE support in OpenSSL + +* Tue Aug 13 2024 Omair Majid - 8.0.108-1 +- Update to .NET SDK 8.0.108 and Runtime 8.0.8 + +* Wed Jul 17 2024 Fedora Release Engineering - 8.0.107-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Tue Jul 09 2024 Omair Majid - 8.0.107-1 - Update to .NET SDK 8.0.107 and Runtime 8.0.7 diff --git a/gating.yaml b/gating.yaml index b7ab3d1..6b6a8a9 100644 --- a/gating.yaml +++ b/gating.yaml @@ -20,4 +20,3 @@ product_versions: decision_context: osci_compose_gate rules: - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.other-archs.functional} diff --git a/release.json b/release.json index 72a9adc..15390f5 100644 --- a/release.json +++ b/release.json @@ -1,10 +1,10 @@ { - "release": "8.0.7", + "release": "8.0.23", "channel": "8.0", - "tag": "v8.0.7", - "sdkVersion": "8.0.107", - "runtimeVersion": "8.0.7", - "aspNetCoreVersion": "8.0.7", + "tag": "v8.0.123", + "sdkVersion": "8.0.123", + "runtimeVersion": "8.0.23", + "aspNetCoreVersion": "8.0.23", "sourceRepository": "https://github.com/dotnet/dotnet", - "sourceVersion": "8be139ddde52d33e24c7d82f813248ff9fc54b97" + "sourceVersion": "fafff0660ef23ca2ece1444119524a76e0f4d4a4" } diff --git a/runtime-104994-openssl-engine.patch b/runtime-104994-openssl-engine.patch deleted file mode 100644 index 488c93a..0000000 --- a/runtime-104994-openssl-engine.patch +++ /dev/null @@ -1,324 +0,0 @@ -From 5eb7fd1d9909c3824caba0bc6a3f376557961aef Mon Sep 17 00:00:00 2001 -From: Kevin Jones -Date: Tue, 16 Jul 2024 16:56:59 -0400 -Subject: [PATCH 1/2] Light up support for OpenSSL ENGINEs only if they are - available. - -Some Linux distributions are phasing out support for OpenSSL 1.x ENGINEs. They are doing this by moving the header, `engine.h`, to a separate package or removing the header entirely. The actual OpenSSL shared libraries still contain the engine APIs. This makes the change an API, not ABI, break. - -We react to this by disabling OpenSSL engine support on non-portable builds that are missing the engine header. Portable builds will continue to probe the loaded OpenSSL library for support, and non-portable builds will only support ENGINEs if the header is present. ---- - .../Interop.EvpPkey.cs | 22 +++++-- - .../src/Resources/Strings.resx | 3 + - .../configure.cmake | 6 ++ - .../opensslshim.h | 36 ++++++++-- - .../pal_crypto_config.h.in | 1 + - .../pal_evp_pkey.c | 65 ++++++++++++++----- - .../pal_evp_pkey.h | 6 +- - 7 files changed, 109 insertions(+), 30 deletions(-) - -diff --git a/src/runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs b/src/runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs -index 77b80634bd0ce..4e8659b5653b7 100644 ---- a/src/runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs -+++ b/src/runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs -@@ -217,7 +217,8 @@ internal static ArraySegment RentEncodeSubjectPublicKeyInfo(SafeEvpPKeyHan - [LibraryImport(Libraries.CryptoNative, StringMarshalling = StringMarshalling.Utf8)] - private static partial SafeEvpPKeyHandle CryptoNative_LoadPrivateKeyFromEngine( - string engineName, -- string keyName); -+ string keyName, -+ [MarshalAs(UnmanagedType.Bool)] out bool haveEngine); - - internal static SafeEvpPKeyHandle LoadPrivateKeyFromEngine( - string engineName, -@@ -226,7 +227,13 @@ internal static SafeEvpPKeyHandle LoadPrivateKeyFromEngine( - Debug.Assert(engineName is not null); - Debug.Assert(keyName is not null); - -- SafeEvpPKeyHandle pkey = CryptoNative_LoadPrivateKeyFromEngine(engineName, keyName); -+ SafeEvpPKeyHandle pkey = CryptoNative_LoadPrivateKeyFromEngine(engineName, keyName, out bool haveEngine); -+ -+ if (!haveEngine) -+ { -+ pkey.Dispose(); -+ throw new CryptographicException(SR.Cryptography_EnginesNotSupported); -+ } - - if (pkey.IsInvalid) - { -@@ -240,7 +247,8 @@ internal static SafeEvpPKeyHandle LoadPrivateKeyFromEngine( - [LibraryImport(Libraries.CryptoNative, StringMarshalling = StringMarshalling.Utf8)] - private static partial SafeEvpPKeyHandle CryptoNative_LoadPublicKeyFromEngine( - string engineName, -- string keyName); -+ string keyName, -+ [MarshalAs(UnmanagedType.Bool)] out bool haveEngine); - - internal static SafeEvpPKeyHandle LoadPublicKeyFromEngine( - string engineName, -@@ -249,7 +257,13 @@ internal static SafeEvpPKeyHandle LoadPublicKeyFromEngine( - Debug.Assert(engineName is not null); - Debug.Assert(keyName is not null); - -- SafeEvpPKeyHandle pkey = CryptoNative_LoadPublicKeyFromEngine(engineName, keyName); -+ SafeEvpPKeyHandle pkey = CryptoNative_LoadPublicKeyFromEngine(engineName, keyName, out bool haveEngine); -+ -+ if (!haveEngine) -+ { -+ pkey.Dispose(); -+ throw new CryptographicException(SR.Cryptography_EnginesNotSupported); -+ } - - if (pkey.IsInvalid) - { -diff --git a/src/runtime/src/libraries/System.Security.Cryptography/src/Resources/Strings.resx b/src/runtime/src/libraries/System.Security.Cryptography/src/Resources/Strings.resx -index 4bcfdcfd3454f..5cc5cce830a35 100644 ---- a/src/runtime/src/libraries/System.Security.Cryptography/src/Resources/Strings.resx -+++ b/src/runtime/src/libraries/System.Security.Cryptography/src/Resources/Strings.resx -@@ -327,6 +327,9 @@ - - {0} unexpectedly produced a ciphertext with the incorrect length. - -+ -+ OpenSSL ENGINE is not available on this platform. -+ - - The total number of bytes extracted cannot exceed UInt32.MaxValue * hash length. - -diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake b/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake -index 74ed49f5d1916..10a6b986268b0 100644 ---- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake -+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake -@@ -1,5 +1,6 @@ - include(CheckLibraryExists) - include(CheckFunctionExists) -+include(CheckSourceCompiles) - - set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) - set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY} ${OPENSSL_SSL_LIBRARY}) -@@ -22,6 +23,11 @@ check_function_exists( - HAVE_OPENSSL_SHA3 - ) - -+check_source_compiles(C " -+#include -+int main(void) { ENGINE_init(NULL); return 1; }" -+HAVE_OPENSSL_ENGINE) -+ - configure_file( - ${CMAKE_CURRENT_SOURCE_DIR}/pal_crypto_config.h.in - ${CMAKE_CURRENT_BINARY_DIR}/pal_crypto_config.h) -diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h -index 57ba6a6809649..3d6d77895b64f 100644 ---- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h -+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h -@@ -17,7 +17,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -46,6 +45,11 @@ - #include - #endif - -+#if HAVE_OPENSSL_ENGINE -+// Some Linux distributions build without engine support. -+#include -+#endif -+ - #if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_1_RTM - #define HAVE_OPENSSL_SET_CIPHERSUITES 1 - #else -@@ -168,6 +172,24 @@ const EVP_MD *EVP_shake256(void); - int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); - #endif - -+#if !HAVE_OPENSSL_ENGINE -+#undef HAVE_OPENSSL_ENGINE -+#define HAVE_OPENSSL_ENGINE 1 -+ -+ENGINE *ENGINE_by_id(const char *id); -+int ENGINE_init(ENGINE *e); -+int ENGINE_finish(ENGINE *e); -+ENGINE *ENGINE_new(void); -+int ENGINE_free(ENGINE *e); -+typedef EVP_PKEY *(*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *, -+ UI_METHOD *ui_method, -+ void *callback_data); -+EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, -+ UI_METHOD *ui_method, void *callback_data); -+EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, -+ UI_METHOD *ui_method, void *callback_data); -+#endif -+ - #define API_EXISTS(fn) (fn != NULL) - - // List of all functions from the libssl that are used in the System.Security.Cryptography.Native. -@@ -298,12 +320,12 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); - REQUIRED_FUNCTION(EC_POINT_mul) \ - REQUIRED_FUNCTION(EC_POINT_new) \ - REQUIRED_FUNCTION(EC_POINT_set_affine_coordinates_GFp) \ -- REQUIRED_FUNCTION(ENGINE_by_id) \ -- REQUIRED_FUNCTION(ENGINE_finish) \ -- REQUIRED_FUNCTION(ENGINE_free) \ -- REQUIRED_FUNCTION(ENGINE_init) \ -- REQUIRED_FUNCTION(ENGINE_load_public_key) \ -- REQUIRED_FUNCTION(ENGINE_load_private_key) \ -+ LIGHTUP_FUNCTION(ENGINE_by_id) \ -+ LIGHTUP_FUNCTION(ENGINE_finish) \ -+ LIGHTUP_FUNCTION(ENGINE_free) \ -+ LIGHTUP_FUNCTION(ENGINE_init) \ -+ LIGHTUP_FUNCTION(ENGINE_load_public_key) \ -+ LIGHTUP_FUNCTION(ENGINE_load_private_key) \ - REQUIRED_FUNCTION(ERR_clear_error) \ - REQUIRED_FUNCTION(ERR_error_string_n) \ - REQUIRED_FUNCTION(ERR_get_error) \ -diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in -index d7aef5a7d1b67..30d1219eb98b0 100644 ---- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in -+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in -@@ -4,3 +4,4 @@ - #cmakedefine01 HAVE_OPENSSL_ALPN - #cmakedefine01 HAVE_OPENSSL_CHACHA20POLY1305 - #cmakedefine01 HAVE_OPENSSL_SHA3 -+#cmakedefine01 HAVE_OPENSSL_ENGINE -diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c -index 80183b97a77c9..dea4f277b8969 100644 ---- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c -+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c -@@ -511,41 +511,72 @@ int32_t CryptoNative_EncodeSubjectPublicKeyInfo(EVP_PKEY* pkey, uint8_t* buf) - return i2d_PUBKEY(pkey, &buf); - } - -+#if HAVE_OPENSSL_ENGINE - static EVP_PKEY* LoadKeyFromEngine( - const char* engineName, - const char* keyName, -- ENGINE_LOAD_KEY_PTR load_func) -+ ENGINE_LOAD_KEY_PTR load_func, -+ int32_t* haveEngine) - { -+ assert(haveEngine); - ERR_clear_error(); - -- EVP_PKEY* ret = NULL; -- ENGINE* engine = NULL; -+ if (API_EXISTS(ENGINE_by_id) && API_EXISTS(ENGINE_init) && API_EXISTS(ENGINE_finish) && API_EXISTS(ENGINE_free)) -+ { -+ *haveEngine = 1; -+ EVP_PKEY* ret = NULL; -+ ENGINE* engine = NULL; - -- // Per https://github.com/openssl/openssl/discussions/21427 -- // using EVP_PKEY after freeing ENGINE is correct. -- engine = ENGINE_by_id(engineName); -+ // Per https://github.com/openssl/openssl/discussions/21427 -+ // using EVP_PKEY after freeing ENGINE is correct. -+ engine = ENGINE_by_id(engineName); - -- if (engine != NULL) -- { -- if (ENGINE_init(engine)) -+ if (engine != NULL) - { -- ret = load_func(engine, keyName, NULL, NULL); -+ if (ENGINE_init(engine)) -+ { -+ ret = load_func(engine, keyName, NULL, NULL); -+ -+ ENGINE_finish(engine); -+ } - -- ENGINE_finish(engine); -+ ENGINE_free(engine); - } - -- ENGINE_free(engine); -+ return ret; - } - -- return ret; -+ *haveEngine = 0; -+ return NULL; - } -+#endif - --EVP_PKEY* CryptoNative_LoadPrivateKeyFromEngine(const char* engineName, const char* keyName) -+EVP_PKEY* CryptoNative_LoadPrivateKeyFromEngine(const char* engineName, const char* keyName, int32_t* haveEngine) - { -- return LoadKeyFromEngine(engineName, keyName, ENGINE_load_private_key); -+#if HAVE_OPENSSL_ENGINE -+ if (API_EXISTS(ENGINE_load_private_key)) -+ { -+ return LoadKeyFromEngine(engineName, keyName, ENGINE_load_private_key, haveEngine); -+ } -+#endif -+ (void)engineName; -+ (void)keyName; -+ (void)haveEngine; -+ *haveEngine = 0; -+ return NULL; - } - --EVP_PKEY* CryptoNative_LoadPublicKeyFromEngine(const char* engineName, const char* keyName) -+EVP_PKEY* CryptoNative_LoadPublicKeyFromEngine(const char* engineName, const char* keyName, int32_t* haveEngine) - { -- return LoadKeyFromEngine(engineName, keyName, ENGINE_load_public_key); -+#if HAVE_OPENSSL_ENGINE -+ if (API_EXISTS(ENGINE_load_private_key)) -+ { -+ return LoadKeyFromEngine(engineName, keyName, ENGINE_load_public_key, haveEngine); -+ } -+#endif -+ (void)engineName; -+ (void)keyName; -+ (void)haveEngine; -+ *haveEngine = 0; -+ return NULL; - } -diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.h -index 64d289dc6f488..e4d5f85d4b9ec 100644 ---- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.h -+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.h -@@ -93,12 +93,14 @@ PALEXPORT int32_t CryptoNative_EncodeSubjectPublicKeyInfo(EVP_PKEY* pkey, uint8_ - Load a named key, via ENGINE_load_private_key, from the named engine. - - Returns a valid EVP_PKEY* on success, NULL on failure. -+haveEngine is 1 if OpenSSL ENGINE's are supported, otherwise 0. - */ --PALEXPORT EVP_PKEY* CryptoNative_LoadPrivateKeyFromEngine(const char* engineName, const char* keyName); -+PALEXPORT EVP_PKEY* CryptoNative_LoadPrivateKeyFromEngine(const char* engineName, const char* keyName, int32_t* haveEngine); - - /* - Load a named key, via ENGINE_load_public_key, from the named engine. - - Returns a valid EVP_PKEY* on success, NULL on failure. -+haveEngine is 1 if OpenSSL ENGINE's are supported, otherwise 0. - */ --PALEXPORT EVP_PKEY* CryptoNative_LoadPublicKeyFromEngine(const char* engineName, const char* keyName); -+PALEXPORT EVP_PKEY* CryptoNative_LoadPublicKeyFromEngine(const char* engineName, const char* keyName, int32_t* haveEngine); - -From c81f7a8f5000151edfac9f9d891121a01a64f1ba Mon Sep 17 00:00:00 2001 -From: Kevin Jones -Date: Wed, 17 Jul 2024 07:47:53 -0400 -Subject: [PATCH 2/2] Fix detection of ENGINE APIs with OpenSSL 3 - ---- - .../libs/System.Security.Cryptography.Native/configure.cmake | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake b/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake -index 10a6b986268b0..4a70e70899c5e 100644 ---- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake -+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/configure.cmake -@@ -4,6 +4,7 @@ include(CheckSourceCompiles) - - set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) - set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY} ${OPENSSL_SSL_LIBRARY}) -+set(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L) - - check_function_exists( - EC_GF2m_simple_method diff --git a/runtime-119706-clang-21.patch b/runtime-119706-clang-21.patch new file mode 100644 index 0000000..9d97b4a --- /dev/null +++ b/runtime-119706-clang-21.patch @@ -0,0 +1,24 @@ +diff --git dotnet/src/runtime/eng/native/configurecompiler.cmake dotnet/src/runtime/eng/native/configurecompiler.cmake +index d54d9b6803b..9438cb5af7e 100644 +--- dotnet/src/runtime/eng/native/configurecompiler.cmake ++++ dotnet/src/runtime/eng/native/configurecompiler.cmake +@@ -574,6 +574,7 @@ if (CLR_CMAKE_HOST_UNIX OR CLR_CMAKE_HOST_WASI) + add_compile_options(-Wno-unused-function) + add_compile_options(-Wno-tautological-compare) + add_compile_options(-Wno-unknown-pragmas) ++ add_compile_options(-Wno-c++-compat) + + # Explicitly enabled warnings + check_c_compiler_flag(-Wimplicit-fallthrough COMPILER_SUPPORTS_W_IMPLICIT_FALLTHROUGH) +diff --git dotnet/src/runtime/src/coreclr/pal/prebuilt/inc/cordebug.h dotnet/src/runtime/src/coreclr/pal/prebuilt/inc/cordebug.h +index 78b86c69ee9..1672d602d99 100644 +--- dotnet/src/runtime/src/coreclr/pal/prebuilt/inc/cordebug.h ++++ dotnet/src/runtime/src/coreclr/pal/prebuilt/inc/cordebug.h +@@ -10036,6 +10036,7 @@ EXTERN_C const IID IID_ICorDebugRegisterSet2; + typedef + enum CorDebugUserState + { ++ CORDEBUG_INVALID = -1, + USER_STOP_REQUESTED = 0x1, + USER_SUSPEND_REQUESTED = 0x2, + USER_BACKGROUND = 0x4, diff --git a/runtime-clang-20-support.patch b/runtime-clang-20-support.patch new file mode 100644 index 0000000..bffcf79 --- /dev/null +++ b/runtime-clang-20-support.patch @@ -0,0 +1,22 @@ +--- a/eng/common/native/init-compiler.sh ++++ b/eng/common/native/init-compiler.sh +@@ -63,7 +63,7 @@ + # Set default versions + if [ -z "$majorVersion" ]; then + # note: gcc (all versions) and clang versions higher than 6 do not have minor version in file name, if it is zero. +- if [ "$compiler" = "clang" ]; then versions="18 17 16 15 14 13 12 11 10 9 8 7 6.0 5.0 4.0 3.9 3.8 3.7 3.6 3.5" ++ if [ "$compiler" = "clang" ]; then versions="20 19 18 17 16 15 14 13 12 11 10 9 8 7 6.0 5.0 4.0 3.9 3.8 3.7 3.6 3.5" + elif [ "$compiler" = "gcc" ]; then versions="13 12 11 10 9 8 7 6 5 4.9"; fi + + for version in $versions; do +--- a/src/runtime/eng/common/native/init-compiler.sh ++++ b/src/runtime/eng/common/native/init-compiler.sh +@@ -63,7 +63,7 @@ + # Set default versions + if [ -z "$majorVersion" ]; then + # note: gcc (all versions) and clang versions higher than 6 do not have minor version in file name, if it is zero. +- if [ "$compiler" = "clang" ]; then versions="18 17 16 15 14 13 12 11 10 9 8 7 6.0 5.0 4.0 3.9 3.8 3.7 3.6 3.5" ++ if [ "$compiler" = "clang" ]; then versions="20 19 18 17 16 15 14 13 12 11 10 9 8 7 6.0 5.0 4.0 3.9 3.8 3.7 3.6 3.5" + elif [ "$compiler" = "gcc" ]; then versions="13 12 11 10 9 8 7 6 5 4.9"; fi + + for version in $versions; do diff --git a/runtime-openssl-sha1.patch b/runtime-openssl-sha1.patch new file mode 100644 index 0000000..6e307ef --- /dev/null +++ b/runtime-openssl-sha1.patch @@ -0,0 +1,34 @@ +From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001 +From: Tom Deseyn +Date: Wed, 28 Feb 2024 14:08:15 +0100 +Subject: [PATCH] Allow certificate validation with SHA-1 signatures. + +RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate +validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag +with a chain where the last certificate uses a SHA-1 signature. + +This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default +OpenSSL behavior for certificate validation. +--- + .../libs/System.Security.Cryptography.Native/pal_x509.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +index 04c6ba06cd..2cd3413dae 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5 + + int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); + +- if (val != 0) +- { +- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE); +- } +- + return val; + } + +-- +2.43.2 + diff --git a/sources b/sources index 5ffd64a..c823863 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dotnet-8.0.7.tar.gz) = 8fe67e9d5ebd79b82c3d99059bed8c933cea1802a622250f8dede24a9ed815c6764509b3f683187998e9ad1cd12699f28f4438d13eead2b744ea8e1751690198 -SHA512 (dotnet-8.0.7.tar.gz.sig) = 0c3327ac975b7540c74085a4716d47f171f19a7ceb8aff4d8b162c1e967259288dede73160064305afebbd01b15ea581d9dd65a779e9b995b201e07d6bd3109c +SHA512 (dotnet-8.0.123.tar.gz) = 650372d872a91945b5b1f45a72a0fad97a068eec66add2278ae2cfe1196ca109e1c5d02eab389a28790b38f7dcee4731c165fade6c93849c4551b0b40055618c +SHA512 (dotnet-8.0.123.tar.gz.sig) = d5e88940fb4768674629b5b8fd321cee0432331da72397b226069320312b69deb9b06663f443fd2509e9a983a8360e64ee6e08d20008c48c77bb9ae35044b318 diff --git a/tests/ci.fmf b/tests/ci.fmf index 16657b9..44ebb2c 100644 --- a/tests/ci.fmf +++ b/tests/ci.fmf @@ -1,7 +1,9 @@ summary: Basic smoke test provision: - disk: 20 - memory: 5120 + hardware: + disk: + - size: ">= 20 GiB" + memory: ">= 5120 MiB" prepare: how: install package: @@ -39,3 +41,7 @@ execute: - dotnet turkey/Turkey.dll --version - git clone "https://github.com/redhat-developer/dotnet-regular-tests.git" - dotnet turkey/Turkey.dll -l="$TMT_TEST_DATA" dotnet-regular-tests --timeout=1200 + - dnf remove -yq 'dotnet*' + - set -x; if command -v dotnet ; then exit 1; fi + - set -x; if [ -d /usr/lib64/dotnet ]; then exit 1; fi + - set -x; if man dotnet; then exit 1; fi diff --git a/update-release b/update-release index 78d84ee..36454b6 100755 --- a/update-release +++ b/update-release @@ -104,7 +104,7 @@ else cp -a "${user_provided_tarball_name}" "dotnet-${tag}.tar.gz" cp -a "${release_json}" release.json else - rm release.json + rm -f release.json spectool -g "$spec_file" fi fi