tools/MINGW-packages: openssl fix for DST Root CA X3 Expiry

This works for anything that links against mingw64-openssl (Natron), but not for msys2-openssl, so we need to add a workaround in .curlrc for pacman to work.
NatronGitHub · Oct 9, 2021 · 8e75fd9 · 8e75fd9
1 parent 55d1b10
commit 8e75fd9
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/tools/MINGW-packages/README.md b/tools/MINGW-packages/README.md
@@ -16,6 +16,7 @@ Start ``C:\msys64-20180531\mingw64.exe``, then run the following commands:
 	$ sed -i 's/SigLevel    = Required DatabaseOptional/SigLevel = Never/' /etc/pacman.conf
 	$ echo "Server = https://downloads.sourceforge.net/project/natron/MINGW-packages/mingw64" > /etc/pacman.d/mirrorlist.mingw64
 	$ echo "Server = https://downloads.sourceforge.net/project/natron/MINGW-packages/msys" > /etc/pacman.d/mirrorlist.msys
+	$ echo insecure > ~/.curlrc
 	$ pacman -Syu natron-sdk
 
 This will install everything required to build/package Natron and the plug-ins. If some packages fail to download re-run the last command.

diff --git a/tools/MINGW-packages/mingw-w64-openssl10/PKGBUILD b/tools/MINGW-packages/mingw-w64-openssl10/PKGBUILD
@@ -6,7 +6,7 @@ pkgname=("${MINGW_PACKAGE_PREFIX}-${_realname}")
 _ver=1.0.2u
 # use a pacman compatible version scheme
 pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
-pkgrel=2
+pkgrel=3
 arch=('any')
 pkgdesc="The Open Source toolkit for Secure Sockets Layer and Transport Layer Security (mingw-w64)"
 depends=("${MINGW_PACKAGE_PREFIX}-ca-certificates" "${MINGW_PACKAGE_PREFIX}-gcc-libs" "${MINGW_PACKAGE_PREFIX}-zlib")
@@ -15,18 +15,20 @@ options=('strip' '!buildflags' 'staticlibs')
 license=('BSD')
 url="https://www.openssl.org"
 noextract=(${_realname}-${_ver}.tar.gz)
-source=(https://www.openssl.org/source/${_realname}-${_ver}.tar.gz
+source=(https://www.openssl.org/source/old/${_realname}-${_ver}.tar.gz
         'openssl-1.0.0a-ldflags.patch'
         'openssl-1.0.2a-parallel-build.patch'
         'openssl-1.0.1-x32.patch'
         'openssl-0.9.6-x509.patch'
-        'openssl-1.0.1i-relocation.patch')
+        'openssl-1.0.1i-relocation.patch'
+        'openssl-1.0.2u-trusted.diff')
 sha256sums=('ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16'
             '164aa4928b022cc716fac545b4fd69899cb274682aa487100e595abb652adbae'
             '609d7ca040f7ab26f5e9844e486b3bcc04f3da656ce2db7733fbd65c6d10457a'
             'f913185a36538315de3ff122ef96fc9a49e068078e65895cfc950bdb4ac4e4f0'
             'e8ed15b50f749064e89f26d49b7fd85b3f95e5dde22e430c0f6181e5b07146c7'
-            'f8e6233fa4c289fb125586bf3f30cd617923f6be0c6fe8a3289aa3fac7d7e814')
+            'f8e6233fa4c289fb125586bf3f30cd617923f6be0c6fe8a3289aa3fac7d7e814'
+            'e58277b15fc972bbe1a1e26348a4e198a0f17e093940f4ccd185ff4e85ac5095')
 
 prepare() {
   # Clean up old sources so re-patching doesn't fail.
@@ -39,6 +41,7 @@ prepare() {
   patch -p1 -i ${srcdir}/openssl-1.0.1-x32.patch
   patch -p1 -i ${srcdir}/openssl-0.9.6-x509.patch
   #patch -p1 -i ${srcdir}/openssl-1.0.1i-relocation.patch
+  patch -p0 -i ${srcdir}/openssl-1.0.2u-trusted.diff
 
 }
 

diff --git a/tools/MINGW-packages/mingw-w64-openssl10/openssl-1.0.2u-trusted.diff b/tools/MINGW-packages/mingw-w64-openssl10/openssl-1.0.2u-trusted.diff
@@ -0,0 +1,11 @@
+--- crypto/x509/x509_vfy.c.orig	2021-10-09 19:28:59.204235900 +0200
++++ crypto/x509/x509_vfy.c	2021-10-09 19:30:25.248722900 +0200
+@@ -256,7 +256,7 @@
+         /*
+          * If asked see if we can find issuer in trusted store first
+          */
+-        if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
++        if (X509_V_FLAG_TRUSTED_FIRST) {
+             ok = ctx->get_issuer(&xtmp, ctx, x);
+             if (ok < 0) {
+                 ctx->error = X509_V_ERR_STORE_LOOKUP;