Skip to content

Commit

Permalink
Merge branch 'fasttrack/2.0' into sumsharma/2-0_gh_cve_2024_45338
Browse files Browse the repository at this point in the history
  • Loading branch information
jslobodzian authored Jan 9, 2025
2 parents 82bec71 + 7b739b6 commit 8754f13
Show file tree
Hide file tree
Showing 42 changed files with 1,040 additions and 110 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/check-entangled-specs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@ jobs:
uses: actions/checkout@v4

# For consistency, we use the same major/minor version of Python that CBL-Mariner ships
- name: Setup Python 3.7
- name: Setup Python 3.9
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.9

- name: Get Python dependencies
run: python3 -m pip install -r toolkit/scripts/requirements.txt
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/lint-specs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,10 @@ jobs:
path: 'spec-cleaner'

# For consistency, we use the same major/minor version of Python that CBL-Mariner ships
- name: Setup Python 3.7
- name: Setup Python 3.9
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.9

# We take our version of the linting tool from the master branch to ensure rules
# are consistent across all branches
Expand Down
48 changes: 42 additions & 6 deletions .pipelines/prchecks/PackageBuildPRCheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,11 @@ extends:
# GCC fails to build as a regular package.
ignoredSpecs: ["gcc"]

- script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
- script: |
echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
echo "##vso[task.setvariable variable=toolchainTarballName;isOutput=true]toolchain_built_rpms_all.tar.gz"
name: "ToolchainArtifactName"
displayName: "Set variable for published artifact name"
displayName: "Set variables for published toolchain tarball"
# 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because
# then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions
Expand All @@ -104,24 +106,38 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(rpmsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
outputRPMsTarballName: "rpms.tar.gz"
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: $(toolchainArtifactName)
patterns: "**/$(toolchainTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
customToolchainTarballName: $(toolchainTarballName)
inputArtifactsFolder: $(inputArtifactsLocation)
isCheckBuild: true
isQuickRebuildPackages: true
isUseCCache: true
maxCPU: "${{ configuration.maxCPUs }}"
outputArtifactsFolder: $(ob_outputDirectory)
outputRPMsTarballName: $(outputRPMsTarballName)
pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
selfRepoName: self
testSuiteName: "[${{ configuration.name }}] Package test"

- script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
- script: |
echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
echo "##vso[task.setvariable variable=rpmsTarballName;isOutput=true]$(outputRPMsTarballName)"
name: "RPMsArtifactName"
displayName: "Set variable for published artifact name"
Expand All @@ -142,15 +158,25 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
ob_artifactBaseName: $(toolchainTestsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
ob_outputDirectory: $(Build.ArtifactStagingDirectory)
testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ]
toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: $(toolchainArtifactName)
patterns: "**/$(toolchainTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templates/PackageBuild.yml@self
parameters:
checkBuildRetries: "1"
customToolchainArtifactName: $(toolchainArtifactName)
customToolchainTarballName: $(toolchainTarballName)
inputArtifactsFolder: $(inputArtifactsLocation)
isAllowToolchainRebuilds: true
isCheckBuild: true
isQuickRebuildPackages: true
Expand Down Expand Up @@ -179,8 +205,18 @@ extends:
isCustom: true
name: ${{ configuration.agentPool }}
variables:
inputArtifactsLocation: $(Agent.TempDirectory)
rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ]
rpmsTarballName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsTarballName'] ]
steps:
- task: DownloadPipelineArtifact@2
displayName: "Download RPMs tarball"
inputs:
artifact: $(rpmsArtifactName)
patterns: "**/$(rpmsTarballName)"
targetPath: $(inputArtifactsLocation)

- template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self
parameters:
inputArtifactName: $(rpmsArtifactName)
inputArtifactsFolder: $(inputArtifactsLocation)
inputRPMsTarballName: $(rpmsTarballName)
40 changes: 14 additions & 26 deletions .pipelines/templates/PackageBuild.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,9 @@ parameters:
type: number
default: 12

- name: customToolchainArtifactName
type: string
default: ""

- name: customToolchainTarballName
type: string
default: "toolchain_built_rpms_all.tar.gz"
default: ""

- name: extraPackageRepos
type: string
Expand All @@ -30,12 +26,16 @@ parameters:
type: boolean
default: true

- name: inputCacheArtifacts
- name: inputArtifactsFolder
type: string
default: "$(Agent.TempDirectory)"

- name: inputCacheRPMsTarballs
type: object
default: []
# Sample:
# - name: build-artifacts
# rpmsTarball: cache.tar.gz
# - cache.tar.gz
# - cache2.tar.gz

- name: isAllowToolchainRebuilds
type: string
Expand Down Expand Up @@ -160,15 +160,9 @@ steps:
artifactFeeds: "${{ parameters.pipArtifactFeeds }}"
displayName: "Authenticate to custom pip artifact feeds"

- ${{ if parameters.customToolchainArtifactName }}:
- task: DownloadPipelineArtifact@2
displayName: "Download toolchain"
inputs:
artifact: "${{ parameters.customToolchainArtifactName }}"
patterns: "**/${{ parameters.customToolchainTarballName }}"

- ${{ if parameters.customToolchainTarballName }}:
- script: |
toolchain_archive="$(find "$(Pipeline.Workspace)" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
if [[ ! -f "$toolchain_archive" ]]; then
echo "ERROR: toolchain archive not found!" >&2
exit 1
Expand All @@ -178,17 +172,11 @@ steps:
sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive"
displayName: "Populate toolchain"
- ${{ each inputCacheArtifact in parameters.inputCacheArtifacts }}:
- task: DownloadPipelineArtifact@2
displayName: "Download input cache RPM from ${{ inputCacheArtifact.name }}"
inputs:
artifact: "${{ inputCacheArtifact.name }}"
patterns: "**/${{ inputCacheArtifact.rpmsTarball }}"

- ${{ each inputCacheRPMsTarball in parameters.inputCacheRPMsTarballs }}:
- script: |
rpms_archive="$(find "$(Pipeline.Workspace)" -name "${{ inputCacheArtifact.rpmsTarball }}" -print -quit)"
rpms_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ inputCacheRPMsTarball }}" -print -quit)"
if [[ ! -f "$rpms_archive" ]]; then
echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2
echo "ERROR: cache RPMs archive '${{ inputCacheRPMsTarball }}' not found!" >&2
exit 1
fi
Expand All @@ -200,7 +188,7 @@ steps:
check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}"
fi
if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
if [[ -n "${{ parameters.customToolchainTarballName }}" ]]; then
toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
fi
Expand Down
13 changes: 3 additions & 10 deletions .pipelines/templatesWithCheckout/SodiffCheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ parameters:
type: string
default: "$(Build.SourcesDirectory)"

- name: inputArtifactName
- name: inputArtifactsFolder
type: string
default: "$(Agent.TempDirectory)"

- name: inputRPMsTarballName
type: string
Expand All @@ -26,19 +27,11 @@ parameters:
default: "$(Agent.TempDirectory)/SourcesWorkspace"

steps:
- task: DownloadPipelineArtifact@2
displayName: "Download sources for signing"
inputs:
artifact: ${{ parameters.inputArtifactName }}
patterns: |
**/${{ parameters.inputRPMsTarballName }}
targetPath: "$(Agent.TempDirectory)"

- script: |
set -e
mkdir -p "${{ parameters.sourcesWorkspace }}"
find "$(Agent.TempDirectory)" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
displayName: "Extract sources tarball"
- script: |
Expand Down
1 change: 1 addition & 0 deletions SPECS/ca-certificates/ca-certificates.signatures.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
"README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
"bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
"certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
"certdata.distrusted.txt": "93aebf0f1e5253ed91fe269f7128fdb8b20630ef19558f629c79a8b7eb0ba30d",
"certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd",
"certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
"pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
Expand Down
24 changes: 22 additions & 2 deletions SPECS/ca-certificates/ca-certificates.spec
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@

%define p11_format_base_bundle ca-bundle.trust.base.p11-kit

%define p11_format_distrusted_bundle ca-bundle.trust.distrusted.p11-kit

%define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit

# List of packages triggering legacy certs generation if 'ca-certificates-legacy'
Expand Down Expand Up @@ -45,7 +47,7 @@ Name: ca-certificates
# When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well.
Epoch: 1
Version: 2.0.0
Release: 18%{?dist}
Release: 19%{?dist}
License: MPLv2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -69,6 +71,8 @@ Source21: certdata.base.txt
Source22: bundle2pem.sh
# The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program.
Source23: certdata.microsoft.txt
# The certdata.distrusted.txt is provided by Microsoft's Trusted Root Program.
Source24: certdata.distrusted.txt

BuildRequires: /bin/ln
BuildRequires: asciidoc
Expand All @@ -91,7 +95,7 @@ Provides: ca-certificates-mozilla = %{version}-%{release}
BuildArch: noarch

%description
The Public Key Inrastructure is used for many security issues in
The Public Key Infrastructure is used for many security issues in
a Linux system. In order for a certificate to be trusted, it must be
signed by a trusted agent called a Certificate Authority (CA).
The certificates loaded by this section are from the list of CAs trusted
Expand Down Expand Up @@ -146,6 +150,7 @@ cp -p %{SOURCE20} .

%convert_certdata %{SOURCE21}
%convert_certdata %{SOURCE23}
%convert_certdata %{SOURCE24}

#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
Expand Down Expand Up @@ -186,6 +191,9 @@ install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README
# Microsoft certs
%install_bundles %{SOURCE23} %{p11_format_microsoft_bundle}

# Distrusted certs
%install_bundles %{SOURCE24} %{p11_format_distrusted_bundle}

# TODO: consider to dynamically create the update-ca-trust script from within
# this .spec file, in order to have the output file+directory names at once place only.
install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
Expand Down Expand Up @@ -257,13 +265,16 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle}

%files
%defattr(-,root,root)
# Microsoft certs bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}

%files base
%defattr(-,root,root)
%{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle}

%files shared
%defattr(-,root,root)
%license LICENSE

# symlinks for old locations
Expand Down Expand Up @@ -307,6 +318,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%dir %{pkidir}/tls
%dir %{pkidir}/tls/certs

# Distrusted CAs
%{_datadir}/pki/ca-trust-source/%{p11_format_distrusted_bundle}

%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
Expand All @@ -315,15 +329,21 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin

%files tools
%defattr(-,root,root)
# update/extract tool
%{_bindir}/update-ca-trust

%{_mandir}/man8/update-ca-trust.8.gz

%files legacy
%defattr(-,root,root)
%{_bindir}/bundle2pem.sh

%changelog
* Wed Dec 11 2024 Pawel Winogrodzki <[email protected]> - 2.0.0-19
- Update adding Microsoft distrusted CAs.
- Explicitly set default file ownership to root:root.

* Fri Aug 09 2024 CBL-Mariner Servicing Account <[email protected]> - 2.0.0-18
- Updating Microsoft trusted root CAs.

Expand Down
Loading

0 comments on commit 8754f13

Please sign in to comment.