From dcc72b41450d56f5a5f8ed4027875d278e989a3d Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 14 Mar 2024 03:32:16 +0300 Subject: [PATCH] import dotnet8.0-8.0.103-2.el9_3 --- .dotnet8.0.metadata | 2 +- .gitignore | 2 +- SOURCES/dotnet-8.0.3.tar.gz.sig | 17 +++++++++++++++ SOURCES/release-key-2023.asc | 29 +++++++++++++++++++++++++ SOURCES/release.json | 10 ++++----- SOURCES/runtime-openssl-sha1.patch | 34 ++++++++++++++++++++++++++++++ SPECS/dotnet8.0.spec | 33 ++++++++++++++++++++++++----- 7 files changed, 115 insertions(+), 12 deletions(-) create mode 100644 SOURCES/dotnet-8.0.3.tar.gz.sig create mode 100644 SOURCES/release-key-2023.asc create mode 100644 SOURCES/runtime-openssl-sha1.patch diff --git a/.dotnet8.0.metadata b/.dotnet8.0.metadata index ab95300..79c3ea7 100644 --- a/.dotnet8.0.metadata +++ b/.dotnet8.0.metadata @@ -1 +1 @@ -94c84fca4115a65111a3ce808564a7273c565022 SOURCES/dotnet-v8.0.2.tar.gz +495e25373e8f6076db3652fcea4edd3342bd3d17 SOURCES/dotnet-8.0.3.tar.gz diff --git a/.gitignore b/.gitignore index 5f115e6..46652ec 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/dotnet-v8.0.2.tar.gz +SOURCES/dotnet-8.0.3.tar.gz diff --git a/SOURCES/dotnet-8.0.3.tar.gz.sig b/SOURCES/dotnet-8.0.3.tar.gz.sig new file mode 100644 index 0000000..18cd23b --- /dev/null +++ b/SOURCES/dotnet-8.0.3.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: BSN Pgp v1.0.0.0 + +iQIcBAABCAAGBQJl3iU8AAoJEP2/U8JNtIcuJ4sP/Rkoq/dL4zxZfx6EQy3we262 +9D7fhMPlkxFoMWgqTTGcmxuNE9bfJEjgUBMjGCY39fSqcM9l3bkKa9Trls+2nF1K +f637Z94FKfZsfjtaU+b9xPB3ekD9GRZSjhei1QSInjHlF4UYiJxF+Y91jgilw4Kj +I+/3IH2AN9ZAgUuSS7xdsP6CSa5vCglo/d2ImRsw+cw9X8Fmnze6z3p/nGzkVfWV +0argZNqCnD1v2LNmpYJlctWDfXaDVQcTClo+K6UnHAoDx9JiAV1JLlDvv6h78fRj +Fr6vm/0bZDJo9MnjLdBVzJ+9WkEOUmuneOviW3nThiXprJNbE2CK2Fk38CL7hU1r +pBQpMBKuSDALR6W5I0bty8OBJeWIu3vyxzvNGQC0F7MoxZeKdgrwY/nuP49seEYZ +tOC0xzLbqQT/7VSmECLm/udx91rMLOZ827qC43IR1p8TQinijqsFlnyMkXuBwOjF +MdyOaIXPTd39JMn32qqqTr84+dg1TfNKwQEco6IIzDsG+2YmSzhS8dDE9lLKYrwM +qC5gcaEauCjzclnpHs+Mqx4ADsuftf7zI+gky9NK4Pz1/4pDC+ZqP8ucxSYCy2sA +PFi+M4aRMBfKzCw4Wa8828G2wPjIaA+d6n5T0XoIrg4xI7ii223J18qr0vMoBMvE +CrxUFI4N/Gb6+36NB047 +=WrWT +-----END PGP SIGNATURE----- diff --git a/SOURCES/release-key-2023.asc b/SOURCES/release-key-2023.asc new file mode 100644 index 0000000..96844b6 --- /dev/null +++ b/SOURCES/release-key-2023.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BSN Pgp v1.1.0.0 + +mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA +vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX +zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp +pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr +EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa +b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+ +Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5 +4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V +xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX +fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5 +9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB +tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo +BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2 +feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh +w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4 +W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD ++clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ +J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1 +KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq +QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh +0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm +wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x +Sr+CkhS8vrktfnRgc8yBssJnvNfqXA== +=pKgS +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SOURCES/release.json b/SOURCES/release.json index 769c8a1..16ac31c 100644 --- a/SOURCES/release.json +++ b/SOURCES/release.json @@ -1,9 +1,9 @@ { - "release": "8.0.2", + "release": "8.0.3", "channel": "8.0", - "tag": "8.0.2", - "sdkVersion": "8.0.102", - "runtimeVersion": "8.0.2", + "tag": "v8.0.3", + "sdkVersion": "8.0.103", + "runtimeVersion": "8.0.3", "sourceRepository": "https://github.com/dotnet/dotnet", - "sourceVersion": "d396b0c4d3e51c2d8d679b2f7233912bc5bfc2fa" + "sourceVersion": "49a39629323839c28481dd42545ce44d11c75c5a" } diff --git a/SOURCES/runtime-openssl-sha1.patch b/SOURCES/runtime-openssl-sha1.patch new file mode 100644 index 0000000..6e307ef --- /dev/null +++ b/SOURCES/runtime-openssl-sha1.patch @@ -0,0 +1,34 @@ +From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001 +From: Tom Deseyn +Date: Wed, 28 Feb 2024 14:08:15 +0100 +Subject: [PATCH] Allow certificate validation with SHA-1 signatures. + +RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate +validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag +with a chain where the last certificate uses a SHA-1 signature. + +This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default +OpenSSL behavior for certificate validation. +--- + .../libs/System.Security.Cryptography.Native/pal_x509.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +index 04c6ba06cd..2cd3413dae 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5 + + int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); + +- if (val != 0) +- { +- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE); +- } +- + return val; + } + +-- +2.43.2 + diff --git a/SPECS/dotnet8.0.spec b/SPECS/dotnet8.0.spec index 55f4104..36c84db 100644 --- a/SPECS/dotnet8.0.spec +++ b/SPECS/dotnet8.0.spec @@ -8,10 +8,10 @@ %global dotnetver 8.0 -%global host_version 8.0.2 -%global runtime_version 8.0.2 +%global host_version 8.0.3 +%global runtime_version 8.0.3 %global aspnetcore_runtime_version %{runtime_version} -%global sdk_version 8.0.102 +%global sdk_version 8.0.103 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|') %global templates_version %{runtime_version} #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }') @@ -76,7 +76,9 @@ Source3: dotnet-prebuilts-%{bootstrap_sdk_version}-s390x.tar.gz # For non-releases, the source is generated on a Fedora box via: # ./build-dotnet-tarball %%{upstream_tag} or commit %global tarball_name dotnet-sdk-source-%{upstream_tag} -Source0: https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag}.tar.gz +Source0: https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz +Source1: https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz.sig +Source2: https://dotnet.microsoft.com/download/dotnet/release-key-2023.asc %endif Source5: https://github.com/dotnet/dotnet/releases/download/%{upstream_tag}/release.json @@ -94,6 +96,12 @@ Patch2: vstest-intent-net8.0.patch Patch3: runtime-re-enable-implicit-rejection.patch # https://github.com/dotnet/msbuild/pull/9449 Patch4: msbuild-9449-exec-stop-setting-a-locale.patch +# We disable checking the signature of the last certificate in a chain +# if the certificate is supposedly self-signed. A side effect of not +# checking the self-signature of such a certificate is that disabled +# or unsupported message digests used for the signature are not +# treated as fatal errors. https://issues.redhat.com/browse/RHEL-25254 +Patch5: runtime-openssl-sha1.patch ExclusiveArch: aarch64 ppc64le s390x x86_64 @@ -111,6 +119,7 @@ BuildRequires: git %if 0%{?fedora} || 0%{?rhel} > 7 BuildRequires: glibc-langpack-en %endif +BuildRequires: gnupg2 BuildRequires: hostname BuildRequires: krb5-devel BuildRequires: libicu-devel @@ -403,8 +412,10 @@ These are not meant for general use. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' + release_json_tag=$(grep tag %{SOURCE5} | cut -d: -f2 | sed -E 's/[," ]*//g') -if [[ ${release_json_tag} != %{upstream_tag_without_v} ]]; then +if [[ ${release_json_tag} != %{upstream_tag} ]]; then echo "error: tag in release.json doesn't match tag in spec file" exit 1 fi @@ -706,6 +717,18 @@ export COMPlus_LTTng=0 %changelog +* Wed Mar 06 2024 Tom Deseyn - 8.0.103-2 +- We disable checking the signature of the last certificate in a chain + if the certificate is supposedly self-signed. A side effect of not + checking the self-signature of such a certificate is that disabled + or unsupported message digests used for the signature are not + treated as fatal errors. +- Resolves: RHEL-28343 + +* Thu Feb 29 2024 Omair Majid - 8.0.103-1 +- Update to .NET SDK 8.0.103 and Runtime 8.0.3 +- Resolves: RHEL-27552 + * Sat Feb 03 2024 Omair Majid - 8.0.102-2 - Don't set a locale when running msbuild Exec on Unix - Resolves: RHEL-23938