diff --git a/.dotnet8.0.metadata b/.dotnet8.0.metadata index 3970d7b..2eafd0e 100644 --- a/.dotnet8.0.metadata +++ b/.dotnet8.0.metadata @@ -1,4 +1 @@ -35100bcbe91362f5686caf6ebb55bd32215b813b SOURCES/dotnet-prebuilts-8.0.100-preview.6.23330.14-arm64.tar.gz -de9624deab87fb323f87fceabacbfbf8b1d088c0 SOURCES/dotnet-prebuilts-8.0.100-preview.6.23330.14-ppc64le.tar.gz -bc43d99e7b7faa8fde7e57faf4d46d17d00aadf8 SOURCES/dotnet-prebuilts-8.0.100-preview.6.23330.14-s390x.tar.gz -fd142a9cc8993cde3389ce8073d1f0101a6d76b0 SOURCES/dotnet-v8.0.0-preview.7.23375.6-x64-bootstrap.tar.xz +dcef67b90dd60f9968efb9b68507427f257b815d SOURCES/dotnet-8.0.8.tar.gz diff --git a/.gitignore b/.gitignore index 7212fe5..d0c7db2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1 @@ -SOURCES/dotnet-prebuilts-8.0.100-preview.6.23330.14-arm64.tar.gz -SOURCES/dotnet-prebuilts-8.0.100-preview.6.23330.14-ppc64le.tar.gz -SOURCES/dotnet-prebuilts-8.0.100-preview.6.23330.14-s390x.tar.gz -SOURCES/dotnet-v8.0.0-preview.7.23375.6-x64-bootstrap.tar.xz +SOURCES/dotnet-8.0.8.tar.gz diff --git a/SOURCES/dotnet-8.0.8.tar.gz.sig b/SOURCES/dotnet-8.0.8.tar.gz.sig new file mode 100644 index 0000000..bc6b5b3 --- /dev/null +++ b/SOURCES/dotnet-8.0.8.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: BSN Pgp v1.0.0.0 + +iQIcBAABCAAGBQJmqPvcAAoJEP2/U8JNtIcuCjUP/1JCyxHFjLoVH296sDflBrJ/ +NA/Y4x0YR/NVLchBk//G7/RzHab7x0EU4fRKkEecKQxPyqm4SH+zfEf9sg5txbES +F1Fx5j0e89BzivSIJWgr8nzuQv0tQGrraIAsqPC1wrIUvDSuLXW9URCwitOasRS4 +/9FKOjISE1L2pj0+QWXzcl+QJN8A0MvtnEZfh0BbvzwldWgyi72A02t2gp6ooXMf +FOfgdd20ufPENaB+TUc2C8eU9IaSYxwIPNy8kRN/iVRc8eYqgKvSDxUgb9aJG+Do +Bc/HoqRVG3bvi3LZt7nwyvVeQfWYo1HB9/aEqyyqmsqsg9z83UsdAuQcidV45ae+ +hen0hxR3BpJyOpT/s/PVH7fdxqVWvszxBTW/ICm5HKMO7/w7CxTLVdPjyj9mXzew +Sbo0xvVvSML72m33X5vFxMD3/zlYYUHTtad6D2rE6vvk5hexG3orbv5ybkUmUWiM +EtMta++yXJwRq2Ac8ucjiLr+EARAfDbdXT6C6aPJpbF4IGQe1p/dwpXeKrDLGSNS +G7d780b44hKt8ciaFLlbhe9qCc6DlsQtV3AryqH/vlm81+oM6y8vJMAHknyZ6WL/ +9AdSsVVa4BrNOsGeVLzNSTtqQiRW9KkK2XPI1dslxfy6KrKIrVYCFuIYsuJ8Ibmp +QuIzm0BW8IGU3ZZSUAyZ +=A/0i +-----END PGP SIGNATURE----- diff --git a/SOURCES/fix-mono-typeloadexception.patch b/SOURCES/fix-mono-typeloadexception.patch deleted file mode 100644 index 08b0917..0000000 --- a/SOURCES/fix-mono-typeloadexception.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 02f6303d86672997ec2e6b79b16d5ddbf52118a0 Mon Sep 17 00:00:00 2001 -From: Tom Deseyn -Date: Tue, 22 Aug 2023 14:52:36 +0200 -Subject: [PATCH] Avoid loading System.Security.Permissions. - -source-built Mono fails to load types from this assembly. ---- - src/msbuild/src/Shared/ExceptionHandling.cs | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/msbuild/src/Shared/ExceptionHandling.cs b/src/msbuild/src/Shared/ExceptionHandling.cs -index a7ef74e873..3dce645df1 100644 ---- a/src/msbuild/src/Shared/ExceptionHandling.cs -+++ b/src/msbuild/src/Shared/ExceptionHandling.cs -@@ -167,7 +167,7 @@ internal static bool IsIoRelatedException(Exception e) - internal static bool IsXmlException(Exception e) - { - return e is XmlException -- || e is XmlSyntaxException -+ // || e is XmlSyntaxException - || e is XmlSchemaException - || e is UriFormatException; // XmlTextReader for example uses this under the covers - } diff --git a/SOURCES/msbuild-9449-exec-stop-setting-a-locale.patch b/SOURCES/msbuild-9449-exec-stop-setting-a-locale.patch new file mode 100644 index 0000000..0cd4642 --- /dev/null +++ b/SOURCES/msbuild-9449-exec-stop-setting-a-locale.patch @@ -0,0 +1,104 @@ +From 68fa6537305beda5cb059c898349f37bda285ca7 Mon Sep 17 00:00:00 2001 +From: Tom Deseyn +Date: Thu, 1 Feb 2024 09:23:16 +0100 +Subject: [PATCH 1/1] Exec: stop setting a locale on Unix. + +This backports a fix that is part of Microsoft's upcoming +8.0.2xx SDK to the 8.0.1xx SDK that we package. + +This fix stops MSBuild Exec from printing warnings and/or +failing in bash envionments where the glibc en_US locale +is not available (which is common in container images). + +The backport includes the changewave opt-out that allows +users to revert back to the previous behavior by setting +the MSBUILDDISABLEFEATURESFROMVERSION envvar to the +version where the feature is introduced ("17.10"). +--- + src/msbuild/src/Framework/ChangeWaves.cs | 3 +- + src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs | 36 +++++++++++++++++++ + src/msbuild/src/Tasks/Exec.cs | 7 +++- + 3 files changed, 44 insertions(+), 2 deletions(-) + +diff --git a/src/msbuild/src/Framework/ChangeWaves.cs b/src/msbuild/src/Framework/ChangeWaves.cs +index 0050723798..1f925324ac 100644 +--- a/src/msbuild/src/Framework/ChangeWaves.cs ++++ b/src/msbuild/src/Framework/ChangeWaves.cs +@@ -27,7 +27,8 @@ namespace Microsoft.Build.Framework + internal static readonly Version Wave17_4 = new Version(17, 4); + internal static readonly Version Wave17_6 = new Version(17, 6); + internal static readonly Version Wave17_8 = new Version(17, 8); +- internal static readonly Version[] AllWaves = { Wave17_4, Wave17_6, Wave17_8 }; ++ internal static readonly Version Wave17_10 = new Version(17, 10); ++ internal static readonly Version[] AllWaves = { Wave17_4, Wave17_6, Wave17_8, Wave17_10 }; + + /// + /// Special value indicating that all features behind all Change Waves should be enabled. +diff --git a/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs b/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs +index cb468a6cce..c0598e4978 100644 +--- a/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs ++++ b/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs +@@ -69,6 +69,42 @@ namespace Microsoft.Build.UnitTests + } + } + ++ [UnixOnlyTheory] ++ [InlineData(true)] ++ [InlineData(false)] ++ public void ExecSetsLocaleOnUnix(bool enableChangeWave) ++ { ++ using (var env = TestEnvironment.Create()) ++ { ++ env.SetEnvironmentVariable("LANG", null); ++ env.SetEnvironmentVariable("LC_ALL", null); ++ ++ if (enableChangeWave) ++ { ++ ChangeWaves.ResetStateForTests(); ++ // Important: use the version here ++ env.SetEnvironmentVariable("MSBUILDDISABLEFEATURESFROMVERSION", ChangeWaves.Wave17_10.ToString()); ++ BuildEnvironmentHelper.ResetInstance_ForUnitTestsOnly(); ++ } ++ ++ Exec exec = PrepareExec("echo LANG=$LANG; echo LC_ALL=$LC_ALL;"); ++ bool result = exec.Execute(); ++ Assert.True(result); ++ ++ MockEngine engine = (MockEngine)exec.BuildEngine; ++ if (enableChangeWave) ++ { ++ engine.AssertLogContains("LANG=en_US.UTF-8"); ++ engine.AssertLogContains("LC_ALL=en_US.UTF-8"); ++ } ++ else ++ { ++ engine.AssertLogDoesntContain("LANG=en_US.UTF-8"); ++ engine.AssertLogDoesntContain("LC_ALL=en_US.UTF-8"); ++ } ++ } ++ } ++ + /// + /// Ensures that calling the Exec task does not leave any extra TEMP files + /// lying around. +diff --git a/src/msbuild/src/Tasks/Exec.cs b/src/msbuild/src/Tasks/Exec.cs +index dbf4be1fc5..9faaa68887 100644 +--- a/src/msbuild/src/Tasks/Exec.cs ++++ b/src/msbuild/src/Tasks/Exec.cs +@@ -591,7 +591,12 @@ namespace Microsoft.Build.Tasks + { + commandLine.AppendSwitch("-c"); + commandLine.AppendTextUnquoted(" \""); +- commandLine.AppendTextUnquoted("export LANG=en_US.UTF-8; export LC_ALL=en_US.UTF-8; . "); ++ bool setLocale = !ChangeWaves.AreFeaturesEnabled(ChangeWaves.Wave17_10); ++ if (setLocale) ++ { ++ commandLine.AppendTextUnquoted("export LANG=en_US.UTF-8; export LC_ALL=en_US.UTF-8; "); ++ } ++ commandLine.AppendTextUnquoted(". "); + commandLine.AppendFileNameIfNotNull(batchFileForCommandLine); + commandLine.AppendTextUnquoted("\""); + } +-- +2.43.0 + diff --git a/SOURCES/release-key-2023.asc b/SOURCES/release-key-2023.asc new file mode 100644 index 0000000..96844b6 --- /dev/null +++ b/SOURCES/release-key-2023.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BSN Pgp v1.1.0.0 + +mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA +vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX +zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp +pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr +EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa +b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+ +Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5 +4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V +xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX +fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5 +9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB +tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo +BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2 +feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh +w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4 +W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD ++clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ +J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1 +KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq +QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh +0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm +wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x +Sr+CkhS8vrktfnRgc8yBssJnvNfqXA== +=pKgS +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SOURCES/release.json b/SOURCES/release.json index 2c639f2..0da99bb 100644 --- a/SOURCES/release.json +++ b/SOURCES/release.json @@ -1,9 +1,10 @@ { - "release": "8.0.0-preview.7", + "release": "8.0.8", "channel": "8.0", - "tag": "v8.0.0-preview.7.23375.6", - "sdkVersion": "8.0.100-preview.7.23376.3", - "runtimeVersion": "8.0.0-preview.7.23375.6", + "tag": "v8.0.8", + "sdkVersion": "8.0.108", + "runtimeVersion": "8.0.8", + "aspNetCoreVersion": "8.0.8", "sourceRepository": "https://github.com/dotnet/dotnet", - "sourceVersion": "a4e1c155baee463805c5af89adb4cb1165df9ad0" + "sourceVersion": "e78e8a64f20e61e1fea4f24afca66ad1dc56285f" } diff --git a/SOURCES/runtime-openssl-sha1.patch b/SOURCES/runtime-openssl-sha1.patch new file mode 100644 index 0000000..6e307ef --- /dev/null +++ b/SOURCES/runtime-openssl-sha1.patch @@ -0,0 +1,34 @@ +From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001 +From: Tom Deseyn +Date: Wed, 28 Feb 2024 14:08:15 +0100 +Subject: [PATCH] Allow certificate validation with SHA-1 signatures. + +RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate +validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag +with a chain where the last certificate uses a SHA-1 signature. + +This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default +OpenSSL behavior for certificate validation. +--- + .../libs/System.Security.Cryptography.Native/pal_x509.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +index 04c6ba06cd..2cd3413dae 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5 + + int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); + +- if (val != 0) +- { +- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE); +- } +- + return val; + } + +-- +2.43.2 + diff --git a/SOURCES/runtime-re-enable-implicit-rejection.patch b/SOURCES/runtime-re-enable-implicit-rejection.patch new file mode 100644 index 0000000..a2e5614 --- /dev/null +++ b/SOURCES/runtime-re-enable-implicit-rejection.patch @@ -0,0 +1,142 @@ +From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001 +From: Omair Majid +Date: Fri, 2 Feb 2024 15:51:23 -0500 +Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)" + +This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995. + +To quote Clemens Lang: + +> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle +> attack against PKCS#1v1.5 decryption. See +> https://people.redhat.com/~hkario/marvin/ for details and +> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a +> comment by the researcher who published the vulnerability and proposed the +> change in OpenSSL. + +For more details, see: +https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314 +--- + .../RSA/EncryptDecrypt.cs | 49 ++++--------------- + .../opensslshim.h | 6 --- + .../pal_evp_pkey_rsa.c | 13 ----- + 3 files changed, 10 insertions(+), 58 deletions(-) + +diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs +index 39f3ebc82ec..5b97f468a42 100644 +--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs ++++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs +@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc + Assert.Equal(TestData.HelloBytes, output); + } + +- [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))] ++ [ConditionalFact] + [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)] + public void RoundtripEmptyArray() + { ++ if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6)) ++ { ++ throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data."); ++ } ++ if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0)) ++ { ++ throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data."); ++ } ++ + using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params)) + { + void RoundtripEmpty(RSAEncryptionPadding paddingMode) +@@ -757,23 +746,5 @@ public static IEnumerable OaepPaddingModes + } + } + } +- +- public static bool PlatformSupportsEmptyRSAEncryption +- { +- get +- { +- if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6)) +- { +- return false; +- } +- +- if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0)) +- { +- return false; +- } +- +- return true; +- } +- } + } + } +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +index 0748e305d5c..cf10d2f7949 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + REQUIRED_FUNCTION(ERR_peek_error) \ + REQUIRED_FUNCTION(ERR_peek_error_line) \ + REQUIRED_FUNCTION(ERR_peek_last_error) \ +- REQUIRED_FUNCTION(ERR_pop_to_mark) \ + FALLBACK_FUNCTION(ERR_put_error) \ + REQUIRED_FUNCTION(ERR_reason_error_string) \ +- REQUIRED_FUNCTION(ERR_set_mark) \ + LIGHTUP_FUNCTION(ERR_set_debug) \ + LIGHTUP_FUNCTION(ERR_set_error) \ + REQUIRED_FUNCTION(EVP_aes_128_cbc) \ +@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + REQUIRED_FUNCTION(EVP_PKCS82PKEY) \ + REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \ +- REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \ + REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \ +@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS + #define ERR_peek_error_line ERR_peek_error_line_ptr + #define ERR_peek_last_error ERR_peek_last_error_ptr + #define ERR_put_error ERR_put_error_ptr +-#define ERR_pop_to_mark ERR_pop_to_mark_ptr + #define ERR_reason_error_string ERR_reason_error_string_ptr + #define ERR_set_debug ERR_set_debug_ptr +-#define ERR_set_mark ERR_set_mark_ptr + #define ERR_set_error ERR_set_error_ptr + #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr + #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr +@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS + #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr + #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr + #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr +-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr + #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr + #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr + #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c +index 043bf9f9d1e..c9ccdf33e3a 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c +@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const + { + return false; + } +- +- // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding. +- // If the padding is invalid, the decryption operation returns random data. +- // See https://github.com/openssl/openssl/pull/13817 for background. +- // Some Linux distributions backported this change to previous versions of OpenSSL. +- // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid. +- ERR_set_mark(); +- +- EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0"); +- +- // Undo any changes to the error queue that may have occured while configuring implicit rejection if the +- // current version does not support implicit rejection. +- ERR_pop_to_mark(); + } + else + { +-- +2.43.0 + diff --git a/SPECS/dotnet8.0.spec b/SPECS/dotnet8.0.spec index 5657dec..9a31b7d 100644 --- a/SPECS/dotnet8.0.spec +++ b/SPECS/dotnet8.0.spec @@ -1,4 +1,4 @@ -%bcond_without bootstrap +%bcond_with bootstrap # LTO triggers a compilation error for a source level issue. Given that LTO should not # change the validity of any given source and the nature of the error (undefined enum), I @@ -8,22 +8,21 @@ %global dotnetver 8.0 -%global host_version 8.0.0-preview.7.23375.6 -%global runtime_version 8.0.0-preview.7.23375.6 -%global aspnetcore_runtime_version 8.0.0-preview.7.23375.9 -%global sdk_version 8.0.100-preview.7.23376.1 +%global host_version 8.0.8 +%global runtime_version 8.0.8 +%global aspnetcore_runtime_version %{runtime_version} +%global sdk_version 8.0.108 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|') -%global templates_version 8.0.0-preview.7.23375.9 +%global templates_version %{runtime_version} #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }') -# upstream can update releases without revving the SDK version so these don't always match -%global upstream_tag v8.0.0-preview.7.23375.6 +%global upstream_tag v%{runtime_version} %global upstream_tag_without_v %(echo %{upstream_tag} | sed -e 's|^v||') -%global host_rpm_version 8.0.0~preview.7 -%global runtime_rpm_version 8.0.0~preview.7 -%global aspnetcore_runtime_rpm_version 8.0.0~preview.7 -%global sdk_rpm_version 8.0.100~preview.7 +%global host_rpm_version %{host_version} +%global runtime_rpm_version %{runtime_version} +%global aspnetcore_runtime_rpm_version %{aspnetcore_runtime_version} +%global sdk_rpm_version %{sdk_version} %if 0%{?fedora} || 0%{?rhel} < 8 %global use_bundled_libunwind 0 @@ -48,20 +47,20 @@ %global runtime_arch x64 %endif -%global mono_archs s390x ppc64le +%global mono_archs ppc64le s390x %{!?runtime_id:%global runtime_id %(. /etc/os-release ; echo "${ID}.${VERSION_ID%%.*}")-%{runtime_arch}} Name: dotnet%{dotnetver} Version: %{sdk_rpm_version} -Release: 0.2%{?dist} +Release: 2%{?dist} Summary: .NET Runtime and SDK License: 0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib URL: https://github.com/dotnet/ %if %{with bootstrap} -%global bootstrap_sdk_version 8.0.100-preview.6.23330.14 +%global bootstrap_sdk_version 8.0.100-rc.1.23410.12 %global tarball_name dotnet-%{upstream_tag}-x64-bootstrap # The source is generated on a Fedora box via: # ./build-dotnet-tarball --bootstrap %%{upstream_tag} @@ -73,16 +72,12 @@ Source2: dotnet-prebuilts-%{bootstrap_sdk_version}-ppc64le.tar.gz # Generated manually, same pattern as the arm64 tarball Source3: dotnet-prebuilts-%{bootstrap_sdk_version}-s390x.tar.gz %else -# For non-releases, the source is generated on a Fedora box via: -# ./build-dotnet-tarball %%{upstream_tag} or commit -%global tarball_name dotnet-sdk-source-%{upstream_tag} -Source0: https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag}.tar.gz +Source0: https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz +Source1: https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz.sig +Source2: https://dotnet.microsoft.com/download/dotnet/release-key-2023.asc %endif Source5: https://github.com/dotnet/dotnet/releases/download/%{upstream_tag}/release.json -#Source10: %%{tarball_name}-nm-dev.tgz -#Source11: %%{tarball_name}-nm-prod.tgz - Source20: check-debug-symbols.py Source21: dotnet.sh.in @@ -90,14 +85,18 @@ Source21: dotnet.sh.in Patch1: roslyn-analyzers-ppc64le-apphost.patch # https://github.com/dotnet/source-build/discussions/3481 Patch2: vstest-intent-net8.0.patch -# https://github.com/dotnet/source-build/issues/3571 -Patch3: fix-mono-typeloadexception.patch +# https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314 +Patch3: runtime-re-enable-implicit-rejection.patch +# https://github.com/dotnet/msbuild/pull/9449 +Patch4: msbuild-9449-exec-stop-setting-a-locale.patch +# We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed. +# A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message +# digests used for the signature are not treated as fatal errors. +# https://issues.redhat.com/browse/RHEL-25254 +Patch5: runtime-openssl-sha1.patch + -%if 0%{?fedora} || 0%{?rhel} >= 8 ExclusiveArch: aarch64 ppc64le s390x x86_64 -%else -ExclusiveArch: x86_64 -%endif BuildRequires: clang @@ -112,6 +111,7 @@ BuildRequires: git %if 0%{?fedora} || 0%{?rhel} > 7 BuildRequires: glibc-langpack-en %endif +BuildRequires: gnupg2 BuildRequires: hostname BuildRequires: krb5-devel BuildRequires: libicu-devel @@ -265,6 +265,18 @@ It particularly focuses on creating console applications, web applications and micro-services. +%package -n dotnet-runtime-dbg-%{dotnetver} + +Version: %{runtime_rpm_version} +Summary: Managed debug symbols NET %{dotnetver} runtime + +Requires: dotnet-runtime-%{dotnetver}%{?_isa} = %{runtime_rpm_version}-%{release} + +%description -n dotnet-runtime-dbg-%{dotnetver} +This package contains the managed symbol (pdb) files useful to debug the +managed parts of the .NET runtime itself. + + %package -n aspnetcore-runtime-%{dotnetver} Version: %{aspnetcore_runtime_rpm_version} @@ -284,6 +296,18 @@ It particularly focuses on creating console applications, web applications and micro-services. +%package -n aspnetcore-runtime-dbg-%{dotnetver} + +Version: %{aspnetcore_runtime_rpm_version} +Summary: Managed debug symbols for the ASP.NET Core %{dotnetver} runtime + +Requires: aspnetcore-runtime-%{dotnetver}%{?_isa} = %{aspnetcore_runtime_rpm_version}-%{release} + +%description -n aspnetcore-runtime-dbg-%{dotnetver} +This package contains the managed symbol (pdb) files useful to debug the +managed parts of the ASP.NET Core runtime itself. + + %package -n dotnet-templates-%{dotnetver} Version: %{sdk_rpm_version} @@ -331,6 +355,18 @@ It particularly focuses on creating console applications, web applications and micro-services. +%package -n dotnet-sdk-dbg-%{dotnetver} + +Version: %{sdk_rpm_version} +Summary: Managed debug symbols for the .NET %{dotnetver} Software Development Kit + +Requires: dotnet-sdk-%{dotnetver}%{?_isa} = %{sdk_rpm_version}-%{release} + +%description -n dotnet-sdk-dbg-%{dotnetver} +This package contains the managed symbol (pdb) files useful to debug the .NET +Software Development Kit (SDK) itself. + + %global dotnet_targeting_pack() %{expand: %package -n %{1} @@ -368,6 +404,8 @@ These are not meant for general use. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' + release_json_tag=$(grep tag %{SOURCE5} | cut -d: -f2 | sed -E 's/[," ]*//g') if [[ ${release_json_tag} != %{upstream_tag} ]]; then echo "error: tag in release.json doesn't match tag in spec file" @@ -375,7 +413,7 @@ if [[ ${release_json_tag} != %{upstream_tag} ]]; then fi %if %{without bootstrap} -%setup -q -n dotnet-%{upstream_tag} +%setup -q -n dotnet-%{upstream_tag_without_v} # Remove all prebuilts find -iname '*.dll' -type f -delete @@ -495,12 +533,6 @@ export EXTRA_LDFLAGS="$LDFLAGS" # suggested compile-time change doesn't work, unfortunately. export COMPlus_LTTng=0 -# OpenSSL 3.0 in RHEL 9 and newer versions of Fedora has disabled -# SHA1, used by .NET for strong name signing. See -# https://github.com/dotnet/runtime/issues/67304 -# https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/78fb78d30755ae18fdaef28ef392f4e67c662ff6 -export OPENSSL_ENABLE_SHA1_SIGNATURES=1 - VERBOSE=1 ./build.sh \ %if %{without bootstrap} --with-sdk previously-built-dotnet \ @@ -522,14 +554,14 @@ sed -e 's|[@]LIBDIR[@]|%{_libdir}|g' %{SOURCE21} > dotnet.sh %install install -dm 0755 %{buildroot}%{_libdir}/dotnet ls artifacts/%{runtime_arch}/Release -tar xf artifacts/%{runtime_arch}/Release/dotnet-sdk-%{sdk_version}-%{runtime_id}.tar.gz -C %{buildroot}%{_libdir}/dotnet/ +mkdir -p built-sdk +tar xf artifacts/%{runtime_arch}/Release/dotnet-sdk-%{sdk_version}-%{runtime_id}.tar.gz -C built-sdk/ -# See https://github.com/dotnet/source-build/issues/2579 -find %{buildroot}%{_libdir}/dotnet/ -type f -name 'testhost.x86' -delete -find %{buildroot}%{_libdir}/dotnet/ -type f -name 'vstest.console' -delete - -# https://github.com/dotnet/source-build/issues/3452 -find %{buildroot}%{_libdir}/dotnet/ -type f -name 'containerize' -delete +# Convert hardlinks to actual copies. This takes up quite a bit of +# extra disk space, but works around RHEL issues in post-rpmbuild tools +# when they encounter hardlinks. +cp -r --preserve=mode,ownership,timestamps built-sdk/* %{buildroot}%{_libdir}/dotnet/ +ls %{buildroot}%{_libdir}/dotnet # Delete bundled certificates: we want to use the system store only, # except for when we have no other choice and ca-certificates doesn't @@ -543,12 +575,12 @@ if [[ $(find %{buildroot}%{_libdir}/dotnet -name '*.pem' -print | wc -l) != 1 ]] fi # Install managed symbols -tar xf artifacts/%{runtime_arch}/Release/runtime/dotnet-runtime-symbols-%{runtime_id}-%{runtime_version}.tar.gz \ - -C %{buildroot}/%{_libdir}/dotnet/shared/Microsoft.NETCore.App/%{runtime_version}/ +tar xf artifacts/%{runtime_arch}/Release/dotnet-symbols-sdk-%{sdk_version}*-%{runtime_id}.tar.gz \ + -C %{buildroot}%{_libdir}/dotnet/ +find %{buildroot}%{_libdir}/dotnet/packs -iname '*.pdb' -delete # Fix executable permissions on files find %{buildroot}%{_libdir}/dotnet/ -type f -name 'apphost' -exec chmod +x {} \; -#find %{buildroot}%{_libdir}/dotnet/ -type f -name 'containerize' -exec chmod +x {} \; find %{buildroot}%{_libdir}/dotnet/ -type f -name 'singlefilehost' -exec chmod +x {} \; find %{buildroot}%{_libdir}/dotnet/ -type f -name 'lib*so' -exec chmod +x {} \; find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.a' -exec chmod -x {} \; @@ -601,6 +633,14 @@ echo "Testing build results for debug symbols..." %{SOURCE20} -v %{buildroot}%{_libdir}/dotnet/ +find %{buildroot}%{_libdir}/dotnet/shared/Microsoft.NETCore.App -type f -and -not -name '*.pdb' | sed -E 's|%{buildroot}||' > dotnet-runtime-non-dbg-files +find %{buildroot}%{_libdir}/dotnet/shared/Microsoft.NETCore.App -type f -name '*.pdb' | sed -E 's|%{buildroot}||' > dotnet-runtime-dbg-files +find %{buildroot}%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App -type f -and -not -name '*.pdb' | sed -E 's|%{buildroot}||' > aspnetcore-runtime-non-dbg-files +find %{buildroot}%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App -type f -name '*.pdb' | sed -E 's|%{buildroot}||' > aspnetcore-runtime-dbg-files +find %{buildroot}%{_libdir}/dotnet/sdk -type d | tail -n +2 | sed -E 's|%{buildroot}||' | sed -E 's|^|%dir |' > dotnet-sdk-non-dbg-files +find %{buildroot}%{_libdir}/dotnet/sdk -type f -and -not -name '*.pdb' | sed -E 's|%{buildroot}||' >> dotnet-sdk-non-dbg-files +find %{buildroot}%{_libdir}/dotnet/sdk -type f -name '*.pdb' | sed -E 's|%{buildroot}||' > dotnet-sdk-dbg-files + %check %if 0%{?fedora} > 35 @@ -637,36 +677,115 @@ export COMPlus_LTTng=0 %dir %{_libdir}/dotnet/host/fxr %{_libdir}/dotnet/host/fxr/%{host_version} -%files -n dotnet-runtime-%{dotnetver} +%files -n dotnet-runtime-%{dotnetver} -f dotnet-runtime-non-dbg-files %dir %{_libdir}/dotnet/shared %dir %{_libdir}/dotnet/shared/Microsoft.NETCore.App -%{_libdir}/dotnet/shared/Microsoft.NETCore.App/%{runtime_version} +%dir %{_libdir}/dotnet/shared/Microsoft.NETCore.App/%{runtime_version} -%files -n aspnetcore-runtime-%{dotnetver} +%files -n dotnet-runtime-dbg-%{dotnetver} -f dotnet-runtime-dbg-files + +%files -n aspnetcore-runtime-%{dotnetver} -f aspnetcore-runtime-non-dbg-files %dir %{_libdir}/dotnet/shared %dir %{_libdir}/dotnet/shared/Microsoft.AspNetCore.App -%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App/%{aspnetcore_runtime_version} +%dir %{_libdir}/dotnet/shared/Microsoft.AspNetCore.App/%{aspnetcore_runtime_version} + +%files -n aspnetcore-runtime-dbg-%{dotnetver} -f aspnetcore-runtime-dbg-files %files -n dotnet-templates-%{dotnetver} %dir %{_libdir}/dotnet/templates %{_libdir}/dotnet/templates/%{templates_version} -%files -n dotnet-sdk-%{dotnetver} +%files -n dotnet-sdk-%{dotnetver} -f dotnet-sdk-non-dbg-files %dir %{_libdir}/dotnet/sdk -%{_libdir}/dotnet/sdk/%{sdk_version} %dir %{_libdir}/dotnet/sdk-manifests %{_libdir}/dotnet/sdk-manifests/%{sdk_feature_band_version}* %{_libdir}/dotnet/metadata %dir %{_libdir}/dotnet/packs +%dir %{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Runtime.%{runtime_id} %{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Runtime.%{runtime_id}/%{aspnetcore_runtime_version} +%dir %{_libdir}/dotnet/packs/Microsoft.NETCore.App.Runtime.%{runtime_id} %{_libdir}/dotnet/packs/Microsoft.NETCore.App.Runtime.%{runtime_id}/%{runtime_version} +%files -n dotnet-sdk-dbg-%{dotnetver} -f dotnet-sdk-dbg-files + %files -n dotnet-sdk-%{dotnetver}-source-built-artifacts %dir %{_libdir}/dotnet %{_libdir}/dotnet/source-built-artifacts %changelog +* Wed Aug 14 2024 Omair Majid - 8.0.108-2 +- Update to .NET SDK 8.0.108 and Runtime 8.0.8 +- Resolves: RHEL-52387 + +* Wed Jul 10 2024 Omair Majid - 8.0.107-3 +- Fix ownership of some missed directories +- Resolves: RHEL-47079 + +* Tue Jul 09 2024 Omair Majid - 8.0.107-2 +- Update to .NET SDK 8.0.107 and Runtime 8.0.7 +- Resolves: RHEL-45323 + +* Wed May 15 2024 Omair Majid - 8.0.105-2 +- Update to .NET SDK 8.0.105 and Runtime 8.0.5 +- Resolves: RHEL-35315 + +* Tue Apr 09 2024 Omair Majid - 8.0.104-2 +- Update to .NET SDK 8.0.104 and Runtime 8.0.4 +- Resolves: RHEL-31208 + +* Sun Mar 31 2024 Tom Deseyn - 8.0.103-3 +- We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed. + A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message + digests used for the signature are not treated as fatal errors. +- Resolves: RHEL-28344 + +* Tue Mar 19 2024 Omair Majid - 8.0.103-2 +- Update to .NET SDK 8.0.103 and Runtime 8.0.3 +- Resolves: RHEL-27553 + +* Tue Feb 20 2024 Tom Deseyn - 8.0.102-3 +- Backport MSBuild locale fix +- Resolves: RHEL-23936 + +* Wed Feb 14 2024 Omair Majid - 8.0.102-2 +- Update to .NET SDK 8.0.102 and Runtime 8.0.2 +- Resolves: RHEL-23804 + +* Mon Jan 29 2024 Omair Majid - 8.0.101-3 +- Add -dbg subpackages for symbol files +- Resolves: RHEL-23070 + +* Mon Jan 15 2024 Omair Majid - 8.0.101-2 +- Update to .NET SDK 8.0.101 and Runtime 8.0.1 +- Resolves: RHEL-19803 + +* Wed Nov 15 2023 Omair Majid - 8.0.100-3 +- Update to .NET SDK 8.0.100 and Runtime 8.0.0 +- Resolves: RHEL-15352 + +* Mon Oct 16 2023 Omair Majid - 8.0.100~rc.2-0.1 +- Update to .NET 8 RC 2 +- Resolves: RHEL-13790 + +* Thu Sep 28 2023 Omair Majid - 8.0.100~rc.1-0.4 +- Disable bootstrap +- Related: RHEL-4074 + +* Wed Sep 27 2023 Omair Majid - 8.0.100~rc.1-0.3 +- Add backported patches for additional s390x issues +- Related: RHEL-4074 + +* Mon Sep 18 2023 Omair Majid - 8.0.100~rc.1-0.2 +- Add patches to fix mono and arm64 issues +- Include libmono-*.a files in the SDK +- Fix CI configuration +- Related: RHEL-4074 + +* Fri Sep 15 2023 Omair Majid - 8.0.100~rc.1-0.1 +- Update to .NET SDK 8.0.100 RC 1 and Runtime 8.0.0 RC 1 +- Resolves: RHEL-4074 + * Tue Aug 22 2023 Omair Majid - 8.0.100~preview.7-0.2 - Add patch to work around TypeLoadException in Mono - Related: RHBZ#2224124