Enable SHA1 signing for CentOS Stream 9#15289
Conversation
MichaelSimons
left a comment
MichaelSimons
left a comment
There was a problem hiding this comment.
Approved with one comment for consideration.
| container: ${{ parameters.centOSStream9Container }} | ||
| bootstrapPrep: false # 🚫 | ||
| enablePoison: false # 🚫 | ||
| enableSha1Signing: true # ✅ |
There was a problem hiding this comment.
The convention used has been to specify all parameters in all legs. It was done to make it easier to see the differences between the various legs and to support configuration changes (including duplicating a leg and tweaking it).
This option feels a bit different in that it should only be used on CentOSStream legs but I see value in continuing the current pattern. I don't feel strongly about this though.
There was a problem hiding this comment.
If other distros specify enableSha1Signing: false, a reader could infer that Sha1 signing is disabled on those platforms; it's not.
I generally dislike negative variable names but in this case maybe something like overrideDistroDisablingSha1 might be more accurate if we are going to set it to false for other entries in our build matrix?
There was a problem hiding this comment.
forceSha1Signing is an option too?
mthalman
requested review from
MichaelSimons and
omajid
and removed request for
omajid
| excludeSdkContentTests: true # ✅ | ||
| excludeOmniSharpTests: true # ✅ | ||
| runOnline: true # ✅ | ||
| buildFromArchive: false # 🚫 |
There was a problem hiding this comment.
Would you mind alphabetizing this list? It was at one point and recently got out of order.
4 participants
The VMR CI build for CentOS Stream 9 is failing with a cryptographic exception:
This is caused by the use of OpenSSL 3.0 in CentOS Stream 9 which has SHA1 disabled by default. Since strong naming is being used in the build, it requires SHA1. Ideally we'd be able to use public signing which avoid the need for SHA1 but that work is still pending (dotnet/source-build#2907).
This error does not occur in the release/7.0.1xx branch because it's referencing an older version of CentOS Stream 9 that hadn't yet updated to use this version of OpenSSL.
For now, we can explicitly enable SHA1 by setting
OPENSSL_ENABLE_SHA1_SIGNATURES=1.Fixes dotnet/source-build#3202
cc @omajid