import UBI dotnet8.0-8.0.103-2.el9_3

2024-03-13 14:53:48 +00:00 · 2024-03-13 14:53:48 +00:00 · 3acfd3b46d
commit 3acfd3b46d
parent ef3696d762
7 changed files with 115 additions and 12 deletions
--- a/.dotnet8.0.metadata
+++ b/.dotnet8.0.metadata
@ -1 +1 @@
-94c84fca4115a65111a3ce808564a7273c565022 SOURCES/dotnet-v8.0.2.tar.gz
+495e25373e8f6076db3652fcea4edd3342bd3d17 SOURCES/dotnet-8.0.3.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/dotnet-v8.0.2.tar.gz
+SOURCES/dotnet-8.0.3.tar.gz
--- a/SOURCES/dotnet-8.0.3.tar.gz.sig
+++ b/SOURCES/dotnet-8.0.3.tar.gz.sig
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: BSN Pgp v1.0.0.0
+
+iQIcBAABCAAGBQJl3iU8AAoJEP2/U8JNtIcuJ4sP/Rkoq/dL4zxZfx6EQy3we262
+9D7fhMPlkxFoMWgqTTGcmxuNE9bfJEjgUBMjGCY39fSqcM9l3bkKa9Trls+2nF1K
+f637Z94FKfZsfjtaU+b9xPB3ekD9GRZSjhei1QSInjHlF4UYiJxF+Y91jgilw4Kj
+I+/3IH2AN9ZAgUuSS7xdsP6CSa5vCglo/d2ImRsw+cw9X8Fmnze6z3p/nGzkVfWV
+0argZNqCnD1v2LNmpYJlctWDfXaDVQcTClo+K6UnHAoDx9JiAV1JLlDvv6h78fRj
+Fr6vm/0bZDJo9MnjLdBVzJ+9WkEOUmuneOviW3nThiXprJNbE2CK2Fk38CL7hU1r
+pBQpMBKuSDALR6W5I0bty8OBJeWIu3vyxzvNGQC0F7MoxZeKdgrwY/nuP49seEYZ
+tOC0xzLbqQT/7VSmECLm/udx91rMLOZ827qC43IR1p8TQinijqsFlnyMkXuBwOjF
+MdyOaIXPTd39JMn32qqqTr84+dg1TfNKwQEco6IIzDsG+2YmSzhS8dDE9lLKYrwM
+qC5gcaEauCjzclnpHs+Mqx4ADsuftf7zI+gky9NK4Pz1/4pDC+ZqP8ucxSYCy2sA
+PFi+M4aRMBfKzCw4Wa8828G2wPjIaA+d6n5T0XoIrg4xI7ii223J18qr0vMoBMvE
+CrxUFI4N/Gb6+36NB047
+=WrWT
+-----END PGP SIGNATURE-----
--- a/SOURCES/release-key-2023.asc
+++ b/SOURCES/release-key-2023.asc
@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BSN Pgp v1.1.0.0
+
+mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA
+vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX
+zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp
+pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr
+EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa
+b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+
+Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5
+4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V
+xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX
+fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5
+9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB
+tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo
+BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2
+feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh
+w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4
+W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD
+clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ
+J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1
+KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq
+QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh
+0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm
+wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x
+Sr+CkhS8vrktfnRgc8yBssJnvNfqXA==
+=pKgS
+-----END PGP PUBLIC KEY BLOCK-----
--- a/SOURCES/release.json
+++ b/SOURCES/release.json
@ -1,9 +1,9 @@
 {
-  "release": "8.0.2",
+  "release": "8.0.3",
  "channel": "8.0",
-  "tag": "8.0.2",
-  "sdkVersion": "8.0.102",
-  "runtimeVersion": "8.0.2",
+  "tag": "v8.0.3",
+  "sdkVersion": "8.0.103",
+  "runtimeVersion": "8.0.3",
  "sourceRepository": "https://github.com/dotnet/dotnet",
-  "sourceVersion": "d396b0c4d3e51c2d8d679b2f7233912bc5bfc2fa"
+  "sourceVersion": "49a39629323839c28481dd42545ce44d11c75c5a"
 }
--- a/SOURCES/runtime-openssl-sha1.patch
+++ b/SOURCES/runtime-openssl-sha1.patch
@ -0,0 +1,34 @@
+From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001
+From: Tom Deseyn <tom.deseyn@gmail.com>
+Date: Wed, 28 Feb 2024 14:08:15 +0100
+Subject: [PATCH] Allow certificate validation with SHA-1 signatures.
+
+RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate
+validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag
+with a chain where the last certificate uses a SHA-1 signature.
+
+This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default
+OpenSSL behavior for certificate validation.
+---
+ .../libs/System.Security.Cryptography.Native/pal_x509.c      | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+index 04c6ba06cd..2cd3413dae 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
+ 
+     int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
+ 
+-    if (val != 0)
+-    {
+-        X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
+-    }
+-
+     return val;
+ }
+ 
+-- 
+2.43.2
+
--- a/SPECS/dotnet8.0.spec
+++ b/SPECS/dotnet8.0.spec
@ -8,10 +8,10 @@

 %global dotnetver 8.0

-%global host_version 8.0.2
-%global runtime_version 8.0.2
+%global host_version 8.0.3
+%global runtime_version 8.0.3
 %global aspnetcore_runtime_version %{runtime_version}
-%global sdk_version 8.0.102
+%global sdk_version 8.0.103
 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|')
 %global templates_version %{runtime_version}
 #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }')
@ -76,7 +76,9 @@ Source3:        dotnet-prebuilts-%{bootstrap_sdk_version}-s390x.tar.gz
 # For non-releases, the source is generated on a Fedora box via:
 # ./build-dotnet-tarball %%{upstream_tag} or commit
 %global tarball_name dotnet-sdk-source-%{upstream_tag}
-Source0:        https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag}.tar.gz
+Source0:        https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz
+Source1:        https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz.sig
+Source2:        https://dotnet.microsoft.com/download/dotnet/release-key-2023.asc
 %endif
 Source5:        https://github.com/dotnet/dotnet/releases/download/%{upstream_tag}/release.json

@ -94,6 +96,12 @@ Patch2:         vstest-intent-net8.0.patch
 Patch3:         runtime-re-enable-implicit-rejection.patch
 # https://github.com/dotnet/msbuild/pull/9449
 Patch4:         msbuild-9449-exec-stop-setting-a-locale.patch
+# We disable checking the signature of the last certificate in a chain
+# if the certificate is supposedly self-signed. A side effect of not
+# checking the self-signature of such a certificate is that disabled
+# or unsupported message digests used for the signature are not
+# treated as fatal errors. https://issues.redhat.com/browse/RHEL-25254
+Patch5:         runtime-openssl-sha1.patch


 ExclusiveArch:  aarch64 ppc64le s390x x86_64
@ -111,6 +119,7 @@ BuildRequires:  git
 %if 0%{?fedora} || 0%{?rhel} > 7
 BuildRequires:  glibc-langpack-en
 %endif
+BuildRequires:  gnupg2
 BuildRequires:  hostname
 BuildRequires:  krb5-devel
 BuildRequires:  libicu-devel
@ -403,8 +412,10 @@ These are not meant for general use.


 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+
 release_json_tag=$(grep tag %{SOURCE5} | cut -d: -f2 | sed -E 's/[," ]*//g')
-if [[ ${release_json_tag} != %{upstream_tag_without_v} ]]; then
+if [[ ${release_json_tag} != %{upstream_tag} ]]; then
   echo "error: tag in release.json doesn't match tag in spec file"
   exit 1
 fi
@ -706,6 +717,18 @@ export COMPlus_LTTng=0


 %changelog
+* Wed Mar 06 2024 Tom Deseyn <tom.deseyn@gmail.com> - 8.0.103-2
+- We disable checking the signature of the last certificate in a chain
+  if the certificate is supposedly self-signed. A side effect of not
+  checking the self-signature of such a certificate is that disabled
+  or unsupported message digests used for the signature are not
+  treated as fatal errors.
+- Resolves: RHEL-28343
+
+* Thu Feb 29 2024 Omair Majid <omajid@redhat.com> - 8.0.103-1
+- Update to .NET SDK 8.0.103 and Runtime 8.0.3
+- Resolves: RHEL-27552
+
 * Sat Feb 03 2024 Omair Majid <omajid@redhat.com> - 8.0.102-2
 - Don't set a locale when running msbuild Exec on Unix
 - Resolves: RHEL-23938