Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fedora 41 #122

Closed
wants to merge 6 commits into from
Closed

Fedora 41 #122

wants to merge 6 commits into from

Conversation

afreof
Copy link
Contributor

@afreof afreof commented Aug 9, 2024

The default security policy of Fedora 41 is going to block SHA-1. This pull request adds support to the tests.

Fixes: https://bugzilla-attachments.redhat.com/attachment.cgi?id=2042901

@afreof
Copy link
Contributor Author

afreof commented Aug 10, 2024

The package is now in Fedrora Rawhide and #67 is solved.

Would it be possible to create a new release?

@afreof
Copy link
Contributor Author

afreof commented Aug 27, 2024

gentle ping

Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
Add missing -propquery '?provider=tpm2' to fix the tests e.g. on Fedora
40.

Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
Some distributions (Fedora 41) are starting to block sha1 hashes. This
prevents this test case. Let's use sha256, which is more future-proof
and should currently be supported by all distributions.

Removing the following 2 lines from
/etc/crypto-policies/back-ends/opensslcnf.config
  [evp_properties]
  rh-allow-sha1-signatures = no
allows to run the tests successfully also with sha1.

Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
Some distributions (Fedora 41) are starting to block sha1 hashes. This
prevents some test cases.

The change is documented: https://fedoraproject.org/wiki/SHA1SignaturesGuidance.
However, there is no API provided by openssl to detect if sha1 is
supported or not. As a workaraound a scripts gets added which does that
by singing and verifying some dummy data.

Disabling sha1 by default was introduced to Fedora 41 by this commit:
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/035c735a8310af5e3999c327d96ad5e354837250

Removing the following 2 lines from
/etc/crypto-policies/back-ends/opensslcnf.config
  [evp_properties]
  rh-allow-sha1-signatures = no
allows to run the tests successfully also with sha1. The test log also
shows that with sha1 supported the tests are executed and without sha1
support the tests are skipped for HASH=sha1.

Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
@afreof afreof force-pushed the fedora-41 branch 2 times, most recently from 9b1d3eb to 2148047 Compare September 22, 2024 16:07
Tested on Fedora 40 host with:
TEST_CONTAINER=ubuntu-2404
podman build -f "test/Containerfiles/Containerfile.$TEST_CONTAINER" \
  --tag "tpm2-openssl-build-$TEST_CONTAINER"
podman run -it --name tpm2-openssl-1 -v "$(pwd):/build:Z" --rm --userns=keep-id \
  "localhost/tpm2-openssl-build-$TEST_CONTAINER" /bin/bash

ubuntu@21852768f015:/$ /build/test/run-with-simulator

Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
Error: This request has been automatically failed because it uses a
deprecated version of `actions/upload-artifact: v2`. Learn more:
https://github.blog/changelog/2024-02-13-deprecation-notice-v1-and-v2-of-the-artifact-actions/

Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
@gotthardp
Copy link
Contributor

@afreof sorry for the delay. I cherry-picked some of the commits and rewrote few other commits. I'd refrain from making too big and too messy changes just because of Fedora. But I tried to cover all your modifications. Could you please check that everything is OK?

@afreof
Copy link
Contributor Author

afreof commented Oct 7, 2024

Looks good. I quickly tested it in a Fedora 41 container.

Would it be possible to create a new release? Packaging software built with autotools is much simpler if the tar is available for download.

I am glad that you are actively maintaining the project again. Thank you!

I'm closing this MR now.

@afreof afreof closed this Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants