Update to .NET SDK 8.0.105 and Runtime 8.0.5

Resolves: RHEL-35315

.gitignore

@@ -35,3 +35,12 @@
 /dotnet-prebuilts-8.0.100-rc.1.23410.12-s390x.tar.gz
 /dotnet-v8.0.0-rc.1.23419.4.tar.gz
 /dotnet-v8.0.0-rc.2.23479.6.tar.gz
+/dotnet-v8.0.0.tar.gz
+/dotnet-v8.0.1.tar.gz
+/dotnet-v8.0.2.tar.gz
+/dotnet-8.0.3.tar.gz
+/dotnet-8.0.3.tar.gz.sig
+/dotnet-8.0.4.tar.gz
+/dotnet-8.0.4.tar.gz.sig
+/dotnet-8.0.5.tar.gz
+/dotnet-8.0.5.tar.gz.sig

dotnet-3673-rc2-version-mismatch.patch

@@ -1,38 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Matt Thalman <mthalman@microsoft.com>
-Date: Tue, 24 Oct 2023 16:20:26 -0500
-Subject: [PATCH] Use correct runtime package version
-
----
- prereqs/git-info/AllRepoVersions.props | 2 +-
- prereqs/git-info/runtime.props         | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/prereqs/git-info/AllRepoVersions.props b/prereqs/git-info/AllRepoVersions.props
-index 79a789e1cd..a3f3ccf094 100644
---- a/prereqs/git-info/AllRepoVersions.props
-+++ b/prereqs/git-info/AllRepoVersions.props
-@@ -32,7 +32,7 @@
-     <roslynGitCommitHash>bdd9c5ba66b00beebdc3516acc5e29b83efd89af</roslynGitCommitHash>
-     <roslynOutputPackageVersion>4.8.0-3.23471.11</roslynOutputPackageVersion>
-     <runtimeGitCommitHash>0b25e38ad32a69cd83ae246104b32449203cc71c</runtimeGitCommitHash>
--    <runtimeOutputPackageVersion>8.0.0-rc.2.23475.17</runtimeOutputPackageVersion>
-+    <runtimeOutputPackageVersion>8.0.0-rc.2.23479.6</runtimeOutputPackageVersion>
-     <sdkGitCommitHash>67e671f384bee6937630b52b02cc78e69b27e280</sdkGitCommitHash>
-     <sdkOutputPackageVersion>8.0.100-rc.2.23480.5</sdkOutputPackageVersion>
-     <sourcebuildexternalsGitCommitHash>6dbf3aaa0fc9664df86462f5c70b99800934fccd</sourcebuildexternalsGitCommitHash>
-diff --git a/prereqs/git-info/runtime.props b/prereqs/git-info/runtime.props
-index 546469c3a0..20c2bf8840 100644
---- a/prereqs/git-info/runtime.props
-+++ b/prereqs/git-info/runtime.props
-@@ -2,8 +2,8 @@
- <Project>
-   <PropertyGroup>
-     <GitCommitHash>0b25e38ad32a69cd83ae246104b32449203cc71c</GitCommitHash>
--    <OfficialBuildId>20230925.17</OfficialBuildId>
--    <OutputPackageVersion>8.0.0-rc.2.23475.17</OutputPackageVersion>
-+    <OfficialBuildId>20230929.6</OfficialBuildId>
-+    <OutputPackageVersion>8.0.0-rc.2.23479.6</OutputPackageVersion>
-     <PreReleaseVersionLabel>rc.2</PreReleaseVersionLabel>
-     <IsStable>false</IsStable>
-   </PropertyGroup>

dotnet8.0.spec

@@ -8,22 +8,21 @@
 
 %global dotnetver 8.0
 
-%global host_version 8.0.0-rc.2.23479.6
-%global runtime_version 8.0.0-rc.2.23479.6
-%global aspnetcore_runtime_version 8.0.0-rc.2.23480.2
-%global sdk_version 8.0.100-rc.2.23502.1
+%global host_version 8.0.5
+%global runtime_version 8.0.5
+%global aspnetcore_runtime_version %{runtime_version}
+%global sdk_version 8.0.105
 %global sdk_feature_band_version %(echo %{sdk_version} | cut -d '-' -f 1 | sed -e 's|[[:digit:]][[:digit:]]$|00|')
-%global templates_version 8.0.0-rc.2.23480.2
+%global templates_version %{runtime_version}
 #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }')
 
-# upstream can produce releases with a different tag than the SDK version
-%global upstream_tag v8.0.0-rc.2.23479.6
+%global upstream_tag v%{runtime_version}
 %global upstream_tag_without_v %(echo %{upstream_tag} | sed -e 's|^v||')
 
-%global host_rpm_version 8.0.0~rc.2
-%global runtime_rpm_version 8.0.0~rc.2
-%global aspnetcore_runtime_rpm_version 8.0.0~rc.2
-%global sdk_rpm_version 8.0.100~rc.2
+%global host_rpm_version %{host_version}
+%global runtime_rpm_version %{runtime_version}
+%global aspnetcore_runtime_rpm_version %{aspnetcore_runtime_version}
+%global sdk_rpm_version %{sdk_version}
 
 %if 0%{?fedora} || 0%{?rhel} < 8
 %global use_bundled_libunwind 0
@@ -48,13 +47,13 @@
 %global runtime_arch x64
 %endif
 
-%global mono_archs s390x ppc64le
+%global mono_archs ppc64le s390x
 
 %{!?runtime_id:%global runtime_id %(. /etc/os-release ; echo "${ID}.${VERSION_ID%%.*}")-%{runtime_arch}}
 
 Name:           dotnet%{dotnetver}
 Version:        %{sdk_rpm_version}
-Release:        0.1%{?dist}
+Release:        2%{?dist}
 Summary:        .NET Runtime and SDK
 License:        0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib
 
@@ -73,16 +72,12 @@ Source2:        dotnet-prebuilts-%{bootstrap_sdk_version}-ppc64le.tar.gz
 # Generated manually, same pattern as the arm64 tarball
 Source3:        dotnet-prebuilts-%{bootstrap_sdk_version}-s390x.tar.gz
 %else
-# For non-releases, the source is generated on a Fedora box via:
-# ./build-dotnet-tarball %%{upstream_tag} or commit
-%global tarball_name dotnet-sdk-source-%{upstream_tag}
-Source0:        https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag}.tar.gz
+Source0:        https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz
+Source1:        https://github.com/dotnet/dotnet/archive/refs/tags/%{upstream_tag}.tar.gz#/dotnet-%{upstream_tag_without_v}.tar.gz.sig
+Source2:        https://dotnet.microsoft.com/download/dotnet/release-key-2023.asc
 %endif
 Source5:        https://github.com/dotnet/dotnet/releases/download/%{upstream_tag}/release.json
 
-#Source10:       %%{tarball_name}-nm-dev.tgz
-#Source11:       %%{tarball_name}-nm-prod.tgz
-
 Source20:       check-debug-symbols.py
 Source21:       dotnet.sh.in
 
@@ -90,19 +85,18 @@ Source21:       dotnet.sh.in
 Patch1:         roslyn-analyzers-ppc64le-apphost.patch
 # https://github.com/dotnet/source-build/discussions/3481
 Patch2:         vstest-intent-net8.0.patch
-# https://github.com/dotnet/runtime/pull/92274
-Patch3:         runtime-92274-webcil-s390x.patch
-# https://github.com/dotnet/runtime/pull/92920
-Patch4:         runtime-92920-multiple-ssl-dirs.patch
-# https://github.com/dotnet/source-build/issues/3673
-Patch5:         dotnet-3673-rc2-version-mismatch.patch
+# https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
+Patch3:         runtime-re-enable-implicit-rejection.patch
+# https://github.com/dotnet/msbuild/pull/9449
+Patch4:         msbuild-9449-exec-stop-setting-a-locale.patch
+# We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed.
+# A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message
+# digests used for the signature are not treated as fatal errors.
+# https://issues.redhat.com/browse/RHEL-25254
+Patch5:         runtime-openssl-sha1.patch
 
 
-%if 0%{?fedora} || 0%{?rhel} >= 8
 ExclusiveArch:  aarch64 ppc64le s390x x86_64
-%else
-ExclusiveArch:  x86_64
-%endif
 
 
 BuildRequires:  clang
@@ -117,6 +111,7 @@ BuildRequires:  git
 %if 0%{?fedora} || 0%{?rhel} > 7
 BuildRequires:  glibc-langpack-en
 %endif
+BuildRequires:  gnupg2
 BuildRequires:  hostname
 BuildRequires:  krb5-devel
 BuildRequires:  libicu-devel
@@ -270,6 +265,18 @@ It particularly focuses on creating console applications, web
 applications and micro-services.
 
 
+%package -n dotnet-runtime-dbg-%{dotnetver}
+
+Version:        %{runtime_rpm_version}
+Summary:        Managed debug symbols NET %{dotnetver} runtime
+
+Requires:       dotnet-runtime-%{dotnetver}%{?_isa} = %{runtime_rpm_version}-%{release}
+
+%description -n dotnet-runtime-dbg-%{dotnetver}
+This package contains the managed symbol (pdb) files useful to debug the
+managed parts of the .NET runtime itself.
+
+
 %package -n aspnetcore-runtime-%{dotnetver}
 
 Version:        %{aspnetcore_runtime_rpm_version}
@@ -289,6 +296,18 @@ It particularly focuses on creating console applications, web
 applications and micro-services.
 
 
+%package -n aspnetcore-runtime-dbg-%{dotnetver}
+
+Version:        %{aspnetcore_runtime_rpm_version}
+Summary:        Managed debug symbols for the ASP.NET Core %{dotnetver} runtime
+
+Requires:       aspnetcore-runtime-%{dotnetver}%{?_isa} = %{aspnetcore_runtime_rpm_version}-%{release}
+
+%description -n aspnetcore-runtime-dbg-%{dotnetver}
+This package contains the managed symbol (pdb) files useful to debug the
+managed parts of the ASP.NET Core runtime itself.
+
+
 %package -n dotnet-templates-%{dotnetver}
 
 Version:        %{sdk_rpm_version}
@@ -336,6 +355,18 @@ It particularly focuses on creating console applications, web
 applications and micro-services.
 
 
+%package -n dotnet-sdk-dbg-%{dotnetver}
+
+Version:        %{sdk_rpm_version}
+Summary:        Managed debug symbols for the .NET %{dotnetver} Software Development Kit
+
+Requires:       dotnet-sdk-%{dotnetver}%{?_isa} = %{sdk_rpm_version}-%{release}
+
+%description -n dotnet-sdk-dbg-%{dotnetver}
+This package contains the managed symbol (pdb) files useful to debug the .NET
+Software Development Kit (SDK) itself.
+
+
 %global dotnet_targeting_pack() %{expand:
 %package -n %{1}
 
@@ -373,6 +404,8 @@ These are not meant for general use.
 
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+
 release_json_tag=$(grep tag %{SOURCE5} | cut -d: -f2 | sed -E 's/[," ]*//g')
 if [[ ${release_json_tag} != %{upstream_tag} ]]; then
    echo "error: tag in release.json doesn't match tag in spec file"
@@ -542,8 +575,9 @@ if [[ $(find %{buildroot}%{_libdir}/dotnet -name '*.pem' -print | wc -l) != 1 ]]
 fi
 
 # Install managed symbols
-tar xf artifacts/%{runtime_arch}/Release/dotnet-runtime-symbols-%{runtime_id}-%{runtime_version}.tar.gz \
-   -C %{buildroot}%{_libdir}/dotnet/shared/Microsoft.NETCore.App/%{runtime_version}/
+tar xf artifacts/%{runtime_arch}/Release/dotnet-symbols-sdk-%{sdk_version}*-%{runtime_id}.tar.gz \
+   -C %{buildroot}%{_libdir}/dotnet/
+find %{buildroot}%{_libdir}/dotnet/packs -iname '*.pdb' -delete
 
 # Fix executable permissions on files
 find %{buildroot}%{_libdir}/dotnet/ -type f -name 'apphost' -exec chmod +x {} \;
@@ -599,6 +633,14 @@ echo "Testing build results for debug symbols..."
 %{SOURCE20} -v %{buildroot}%{_libdir}/dotnet/
 
 
+find %{buildroot}%{_libdir}/dotnet/shared/Microsoft.NETCore.App -type f -and -not -name '*.pdb' | sed -E 's|%{buildroot}||' > dotnet-runtime-non-dbg-files
+find %{buildroot}%{_libdir}/dotnet/shared/Microsoft.NETCore.App -type f -name '*.pdb'  | sed -E 's|%{buildroot}||' > dotnet-runtime-dbg-files
+find %{buildroot}%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App -type f -and -not -name '*.pdb'  | sed -E 's|%{buildroot}||' > aspnetcore-runtime-non-dbg-files
+find %{buildroot}%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App -type f -name '*.pdb' | sed -E 's|%{buildroot}||' > aspnetcore-runtime-dbg-files
+find %{buildroot}%{_libdir}/dotnet/sdk -type d | tail -n +2 | sed -E 's|%{buildroot}||' | sed -E 's|^|%dir |' > dotnet-sdk-non-dbg-files
+find %{buildroot}%{_libdir}/dotnet/sdk -type f -and -not -name '*.pdb' | sed -E 's|%{buildroot}||' >> dotnet-sdk-non-dbg-files
+find %{buildroot}%{_libdir}/dotnet/sdk -type f -name '*.pdb'  | sed -E 's|%{buildroot}||' > dotnet-sdk-dbg-files
+
 
 %check
 %if 0%{?fedora} > 35
@@ -635,23 +677,26 @@ export COMPlus_LTTng=0
 %dir %{_libdir}/dotnet/host/fxr
 %{_libdir}/dotnet/host/fxr/%{host_version}
 
-%files -n dotnet-runtime-%{dotnetver}
+%files -n dotnet-runtime-%{dotnetver} -f dotnet-runtime-non-dbg-files
 %dir %{_libdir}/dotnet/shared
 %dir %{_libdir}/dotnet/shared/Microsoft.NETCore.App
-%{_libdir}/dotnet/shared/Microsoft.NETCore.App/%{runtime_version}
+%dir %{_libdir}/dotnet/shared/Microsoft.NETCore.App/%{runtime_version}
 
-%files -n aspnetcore-runtime-%{dotnetver}
+%files -n dotnet-runtime-dbg-%{dotnetver} -f dotnet-runtime-dbg-files
+
+%files -n aspnetcore-runtime-%{dotnetver} -f aspnetcore-runtime-non-dbg-files
 %dir %{_libdir}/dotnet/shared
 %dir %{_libdir}/dotnet/shared/Microsoft.AspNetCore.App
-%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App/%{aspnetcore_runtime_version}
+%dir %{_libdir}/dotnet/shared/Microsoft.AspNetCore.App/%{aspnetcore_runtime_version}
+
+%files -n aspnetcore-runtime-dbg-%{dotnetver} -f aspnetcore-runtime-dbg-files
 
 %files -n dotnet-templates-%{dotnetver}
 %dir %{_libdir}/dotnet/templates
 %{_libdir}/dotnet/templates/%{templates_version}
 
-%files -n dotnet-sdk-%{dotnetver}
+%files -n dotnet-sdk-%{dotnetver} -f dotnet-sdk-non-dbg-files
 %dir %{_libdir}/dotnet/sdk
-%{_libdir}/dotnet/sdk/%{sdk_version}
 %dir %{_libdir}/dotnet/sdk-manifests
 %{_libdir}/dotnet/sdk-manifests/%{sdk_feature_band_version}*
 %{_libdir}/dotnet/metadata
@@ -659,12 +704,52 @@ export COMPlus_LTTng=0
 %{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Runtime.%{runtime_id}/%{aspnetcore_runtime_version}
 %{_libdir}/dotnet/packs/Microsoft.NETCore.App.Runtime.%{runtime_id}/%{runtime_version}
 
+%files -n dotnet-sdk-dbg-%{dotnetver} -f dotnet-sdk-dbg-files
+
 %files -n dotnet-sdk-%{dotnetver}-source-built-artifacts
 %dir %{_libdir}/dotnet
 %{_libdir}/dotnet/source-built-artifacts
 
 
 %changelog
+* Wed May 15 2024 Omair Majid <omajid@redhat.com> - 8.0.105-2
+- Update to .NET SDK 8.0.105 and Runtime 8.0.5
+- Resolves: RHEL-35315
+
+* Tue Apr 09 2024 Omair Majid <omajid@redhat.com> - 8.0.104-2
+- Update to .NET SDK 8.0.104 and Runtime 8.0.4
+- Resolves: RHEL-31208
+
+* Sun Mar 31 2024 Tom Deseyn <tom.deseyn@gmail.com> - 8.0.103-3
+- We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed.
+  A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message
+  digests used for the signature are not treated as fatal errors.
+- Resolves: RHEL-28344
+
+* Tue Mar 19 2024 Omair Majid <omajid@redhat.com> - 8.0.103-2
+- Update to .NET SDK 8.0.103 and Runtime 8.0.3
+- Resolves: RHEL-27553
+
+* Tue Feb 20 2024 Tom Deseyn <tom.deseyn@gmail.com> - 8.0.102-3
+- Backport MSBuild locale fix
+- Resolves: RHEL-23936
+
+* Wed Feb 14 2024 Omair Majid <omajid@redhat.com> - 8.0.102-2
+- Update to .NET SDK 8.0.102 and Runtime 8.0.2
+- Resolves: RHEL-23804
+
+* Mon Jan 29 2024 Omair Majid <omajid@redhat.com> - 8.0.101-3
+- Add -dbg subpackages for symbol files
+- Resolves: RHEL-23070
+
+* Mon Jan 15 2024 Omair Majid <omajid@redhat.com> - 8.0.101-2
+- Update to .NET SDK 8.0.101 and Runtime 8.0.1
+- Resolves: RHEL-19803
+
+* Wed Nov 15 2023 Omair Majid <omajid@redhat.com> - 8.0.100-3
+- Update to .NET SDK 8.0.100 and Runtime 8.0.0
+- Resolves: RHEL-15352
+
 * Mon Oct 16 2023 Omair Majid <omajid@redhat.com> - 8.0.100~rc.2-0.1
 - Update to .NET 8 RC 2
 - Resolves: RHEL-13790

msbuild-9449-exec-stop-setting-a-locale.patch

@@ -0,0 +1,104 @@
+From 68fa6537305beda5cb059c898349f37bda285ca7 Mon Sep 17 00:00:00 2001
+From: Tom Deseyn <tom.deseyn@gmail.com>
+Date: Thu, 1 Feb 2024 09:23:16 +0100
+Subject: [PATCH 1/1] Exec: stop setting a locale on Unix.
+
+This backports a fix that is part of Microsoft's upcoming
+8.0.2xx SDK to the 8.0.1xx SDK that we package.
+
+This fix stops MSBuild Exec from printing warnings and/or
+failing in bash envionments where the glibc en_US locale
+is not available (which is common in container images).
+
+The backport includes the changewave opt-out that allows
+users to revert back to the previous behavior by setting
+the MSBUILDDISABLEFEATURESFROMVERSION envvar to the
+version where the feature is introduced ("17.10").
+---
+ src/msbuild/src/Framework/ChangeWaves.cs      |  3 +-
+ src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs | 36 +++++++++++++++++++
+ src/msbuild/src/Tasks/Exec.cs                 |  7 +++-
+ 3 files changed, 44 insertions(+), 2 deletions(-)
+
+diff --git a/src/msbuild/src/Framework/ChangeWaves.cs b/src/msbuild/src/Framework/ChangeWaves.cs
+index 0050723798..1f925324ac 100644
+--- a/src/msbuild/src/Framework/ChangeWaves.cs
++++ b/src/msbuild/src/Framework/ChangeWaves.cs
+@@ -27,7 +27,8 @@ namespace Microsoft.Build.Framework
+         internal static readonly Version Wave17_4 = new Version(17, 4);
+         internal static readonly Version Wave17_6 = new Version(17, 6);
+         internal static readonly Version Wave17_8 = new Version(17, 8);
+-        internal static readonly Version[] AllWaves = { Wave17_4, Wave17_6, Wave17_8 };
++        internal static readonly Version Wave17_10 = new Version(17, 10);
++        internal static readonly Version[] AllWaves = { Wave17_4, Wave17_6, Wave17_8, Wave17_10 };
+ 
+         /// <summary>
+         /// Special value indicating that all features behind all Change Waves should be enabled.
+diff --git a/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs b/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs
+index cb468a6cce..c0598e4978 100644
+--- a/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs
++++ b/src/msbuild/src/Tasks.UnitTests/Exec_Tests.cs
+@@ -69,6 +69,42 @@ namespace Microsoft.Build.UnitTests
+             }
+         }
+ 
++        [UnixOnlyTheory]
++        [InlineData(true)]
++        [InlineData(false)]
++        public void ExecSetsLocaleOnUnix(bool enableChangeWave)
++        {
++            using (var env = TestEnvironment.Create())
++            {
++                env.SetEnvironmentVariable("LANG", null);
++                env.SetEnvironmentVariable("LC_ALL", null);
++
++                if (enableChangeWave)
++                {
++                    ChangeWaves.ResetStateForTests();
++                    // Important: use the version here
++                    env.SetEnvironmentVariable("MSBUILDDISABLEFEATURESFROMVERSION", ChangeWaves.Wave17_10.ToString());
++                    BuildEnvironmentHelper.ResetInstance_ForUnitTestsOnly();
++                }
++
++                Exec exec = PrepareExec("echo LANG=$LANG; echo LC_ALL=$LC_ALL;");
++                bool result = exec.Execute();
++                Assert.True(result);
++
++                MockEngine engine = (MockEngine)exec.BuildEngine;
++                if (enableChangeWave)
++                {
++                    engine.AssertLogContains("LANG=en_US.UTF-8");
++                    engine.AssertLogContains("LC_ALL=en_US.UTF-8");
++                }
++                else
++                {
++                    engine.AssertLogDoesntContain("LANG=en_US.UTF-8");
++                    engine.AssertLogDoesntContain("LC_ALL=en_US.UTF-8");
++                }
++            }
++        }
++
+         /// <summary>
+         /// Ensures that calling the Exec task does not leave any extra TEMP files
+         /// lying around.
+diff --git a/src/msbuild/src/Tasks/Exec.cs b/src/msbuild/src/Tasks/Exec.cs
+index dbf4be1fc5..9faaa68887 100644
+--- a/src/msbuild/src/Tasks/Exec.cs
++++ b/src/msbuild/src/Tasks/Exec.cs
+@@ -591,7 +591,12 @@ namespace Microsoft.Build.Tasks
+             {
+                 commandLine.AppendSwitch("-c");
+                 commandLine.AppendTextUnquoted(" \"");
+-                commandLine.AppendTextUnquoted("export LANG=en_US.UTF-8; export LC_ALL=en_US.UTF-8; . ");
++                bool setLocale = !ChangeWaves.AreFeaturesEnabled(ChangeWaves.Wave17_10);
++                if (setLocale)
++                {
++                    commandLine.AppendTextUnquoted("export LANG=en_US.UTF-8; export LC_ALL=en_US.UTF-8; ");
++                }
++                commandLine.AppendTextUnquoted(". ");
+                 commandLine.AppendFileNameIfNotNull(batchFileForCommandLine);
+                 commandLine.AppendTextUnquoted("\"");
+             }
+-- 
+2.43.0
+

release-key-2023.asc

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BSN Pgp v1.1.0.0
+
+mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA
+vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX
+zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp
+pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr
+EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa
+b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+
+Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5
+4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V
+xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX
+fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5
+9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB
+tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo
+BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2
+feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh
+w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4
+W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD
++clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ
+J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1
+KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq
+QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh
+0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm
+wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x
+Sr+CkhS8vrktfnRgc8yBssJnvNfqXA==
+=pKgS
+-----END PGP PUBLIC KEY BLOCK-----

release.json

@@ -1,9 +1,10 @@
 {
-  "release": "8.0.0-rc.2",
+  "release": "8.0.5",
   "channel": "8.0",
-  "tag": "v8.0.0-rc.2.23479.6",
-  "sdkVersion": "8.0.100-rc.2.23502.2",
-  "runtimeVersion": "8.0.0-rc.2.23479.6",
+  "tag": "v8.0.5",
+  "sdkVersion": "8.0.105",
+  "runtimeVersion": "8.0.5",
+  "aspNetCoreVersion": "8.0.5",
   "sourceRepository": "https://github.com/dotnet/dotnet",
-  "sourceVersion": "1e872358329855089d8d14cec1f06d5b075824b5"
+  "sourceVersion": "181780576f29353fd077b649e7624cf806e882e7"
 }

runtime-92274-webcil-s390x.patch

@@ -1,260 +0,0 @@
-From 72f310a6c3dccbabf9edc29677b51ed78c87cc67 Mon Sep 17 00:00:00 2001
-From: Sanjam Panda <sanjam.panda@ibm.com>
-Date: Tue, 19 Sep 2023 15:16:02 +0200
-Subject: [PATCH 1/3] [wasm] Endian fix for Webcil
-
-'dotnet new blazorwasm' command failed on s390x and was throwing a not implemented exception
-
-The issue was with with the WebCil writer and reader, specific endianness conversions relating to the webcil payload were not implemented for big endian machines.
-
-We considered fixing the generic implementation, but there were only two structures in use: WebcilHeader and WebcilSectionHeader, so it was easier to handle them explicitly.
----
- .../Microsoft.NET.WebAssembly.Webcil.csproj   |  1 +
- .../WebcilConverter.cs                        | 35 +++++++++++++-----
- .../WebcilReader.cs                           | 37 +++++++++++++++----
- 3 files changed, 57 insertions(+), 16 deletions(-)
-
-diff --git a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/Microsoft.NET.WebAssembly.Webcil.csproj b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/Microsoft.NET.WebAssembly.Webcil.csproj
-index c35eb57e80686..d09ae4a569a59 100644
---- a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/Microsoft.NET.WebAssembly.Webcil.csproj
-+++ b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/Microsoft.NET.WebAssembly.Webcil.csproj
-@@ -16,6 +16,7 @@
- 
-   <ItemGroup>
-     <!-- we need to keep the version of System.Reflection.Metadata in sync with dotnet/msbuild and dotnet/sdk -->
-+    <PackageReference Include="System.Memory" Version="$(SystemMemoryVersion)" /> 
-     <PackageReference Include="System.Reflection.Metadata" Version="$(SystemReflectionMetadataVersion)" />
-     <PackageReference Include="System.Collections.Immutable" Version="$(SystemCollectionsImmutableVersion)" />
-   </ItemGroup>
-diff --git a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-index a38af7270a2da..7b882c42d579e 100644
---- a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-+++ b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-@@ -2,6 +2,7 @@
- // The .NET Foundation licenses this file to you under the MIT license.
- 
- using System;
-+using System.Buffers.Binary;
- using System.IO;
- using System.Collections.Immutable;
- using System.Reflection.PortableExecutable;
-@@ -181,9 +182,6 @@ private static void WriteHeader(Stream s, WebcilHeader header)
- 
-     private static void WriteSectionHeaders(Stream s, ImmutableArray<WebcilSectionHeader> sectionsHeaders)
-     {
--        // FIXME: fixup endianness
--        if (!BitConverter.IsLittleEndian)
--            throw new NotImplementedException();
-         foreach (var sectionHeader in sectionsHeaders)
-         {
-             WriteSectionHeader(s, sectionHeader);
-@@ -192,16 +190,38 @@ private static void WriteSectionHeaders(Stream s, ImmutableArray<WebcilSectionHe
- 
-     private static void WriteSectionHeader(Stream s, WebcilSectionHeader sectionHeader)
-     {
-+        if (!BitConverter.IsLittleEndian)
-+        {
-+            sectionHeader = new WebcilSectionHeader
-+            (
-+                virtualSize: BinaryPrimitives.ReverseEndianness(sectionHeader.VirtualSize),
-+                virtualAddress: BinaryPrimitives.ReverseEndianness(sectionHeader.VirtualAddress),
-+                sizeOfRawData: BinaryPrimitives.ReverseEndianness(sectionHeader.SizeOfRawData),
-+                pointerToRawData: BinaryPrimitives.ReverseEndianness(sectionHeader.PointerToRawData)
-+            );
-+        }
-         WriteStructure(s, sectionHeader);
-     }
- 
-+    private static void WriteStructure(Stream s, WebcilHeader webcilHeader)
-+    {
-+        if (!BitConverter.IsLittleEndian)
-+        {
-+            webcilHeader.version_major = BinaryPrimitives.ReverseEndianness(webcilHeader.version_major);
-+            webcilHeader.version_minor = BinaryPrimitives.ReverseEndianness(webcilHeader.version_minor);
-+            webcilHeader.coff_sections = BinaryPrimitives.ReverseEndianness(webcilHeader.coff_sections);
-+            webcilHeader.pe_cli_header_rva = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_cli_header_rva);
-+            webcilHeader.pe_cli_header_size = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_cli_header_size);
-+            webcilHeader.pe_debug_rva = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_debug_rva);
-+            webcilHeader.pe_debug_size = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_debug_size);
-+        }
-+        WriteStructure(s, webcilHeader);
-+    }
-+
- #if NETCOREAPP2_1_OR_GREATER
-     private static void WriteStructure<T>(Stream s, T structure)
-         where T : unmanaged
-     {
--        // FIXME: fixup endianness
--        if (!BitConverter.IsLittleEndian)
--            throw new NotImplementedException();
-         unsafe
-         {
-             byte* p = (byte*)&structure;
-@@ -212,9 +232,6 @@ private static void WriteStructure<T>(Stream s, T structure)
-     private static void WriteStructure<T>(Stream s, T structure)
-         where T : unmanaged
-     {
--        // FIXME: fixup endianness
--        if (!BitConverter.IsLittleEndian)
--            throw new NotImplementedException();
-         int size = Marshal.SizeOf<T>();
-         byte[] buffer = new byte[size];
-         IntPtr ptr = IntPtr.Zero;
-diff --git a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilReader.cs b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilReader.cs
-index 4f42f82798664..ac4f9d86095a9 100644
---- a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilReader.cs
-+++ b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilReader.cs
-@@ -6,7 +6,7 @@
- using System.IO;
- using System.Reflection;
- using System.Runtime.InteropServices;
--
-+using System.Buffers.Binary;
- using System.Reflection.Metadata;
- using System.Reflection.PortableExecutable;
- 
-@@ -63,14 +63,20 @@ private unsafe bool ReadHeader()
-         {
-             return false;
-         }
--        if (!BitConverter.IsLittleEndian)
--        {
--            throw new NotImplementedException("TODO: implement big endian support");
--        }
-         fixed (byte* p = buffer)
-         {
-             header = *(WebcilHeader*)p;
-         }
-+        if (!BitConverter.IsLittleEndian)
-+        {
-+            header.version_major = BinaryPrimitives.ReverseEndianness(header.version_major);
-+            header.version_minor = BinaryPrimitives.ReverseEndianness(header.version_minor);
-+            header.coff_sections = BinaryPrimitives.ReverseEndianness(header.coff_sections);
-+            header.pe_cli_header_rva = BinaryPrimitives.ReverseEndianness(header.pe_cli_header_rva);
-+            header.pe_cli_header_size = BinaryPrimitives.ReverseEndianness(header.pe_cli_header_size);
-+            header.pe_debug_rva = BinaryPrimitives.ReverseEndianness(header.pe_debug_rva);
-+            header.pe_debug_rva = BinaryPrimitives.ReverseEndianness(header.pe_debug_size);
-+        }
-         if (header.id[0] != 'W' || header.id[1] != 'b'
-             || header.id[2] != 'I' || header.id[3] != 'L'
-             || header.version_major != Internal.Constants.WC_VERSION_MAJOR
-@@ -346,6 +352,7 @@ private long TranslateRVA(uint rva)
- 
-     private unsafe ImmutableArray<WebcilSectionHeader> ReadSections()
-     {
-+        WebcilSectionHeader secheader;
-         var sections = ImmutableArray.CreateBuilder<WebcilSectionHeader>(_header.coff_sections);
-         var buffer = new byte[Marshal.SizeOf<WebcilSectionHeader>()];
-         _stream.Seek(SectionDirectoryOffset + _webcilInWasmOffset, SeekOrigin.Begin);
-@@ -357,8 +364,24 @@ private unsafe ImmutableArray<WebcilSectionHeader> ReadSections()
-             }
-             fixed (byte* p = buffer)
-             {
--                // FIXME endianness
--                sections.Add(*(WebcilSectionHeader*)p);
-+                secheader = (*(WebcilSectionHeader*)p);
-+            }
-+            if (!BitConverter.IsLittleEndian)
-+            {
-+                sections.Add
-+                (
-+                    new WebcilSectionHeader
-+                    (
-+                        virtualSize: BinaryPrimitives.ReverseEndianness(secheader.VirtualSize),
-+                        virtualAddress: BinaryPrimitives.ReverseEndianness(secheader.VirtualAddress),
-+                        sizeOfRawData: BinaryPrimitives.ReverseEndianness(secheader.SizeOfRawData),
-+                        pointerToRawData: BinaryPrimitives.ReverseEndianness(secheader.PointerToRawData)
-+                    )
-+                );
-+            }
-+            else
-+            {
-+                sections.Add(secheader);
-             }
-         }
-         return sections.MoveToImmutable();
-
-From 0c78184347335db183a38cf6bd26e2fe69160931 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Aleksey=20Kliger=20=28=CE=BBgeek=29?= <alklig@microsoft.com>
-Date: Thu, 21 Sep 2023 14:31:12 -0400
-Subject: [PATCH 2/3] Fix infinite recursion
-
----
- .../WebcilConverter.cs                        | 25 ++++++++-----------
- 1 file changed, 10 insertions(+), 15 deletions(-)
-
-diff --git a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-index 7b882c42d579e..fc95eded5bc33 100644
---- a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-+++ b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-@@ -177,6 +177,16 @@ public unsafe void GatherInfo(PEReader peReader, out WCFileInfo wcInfo, out PEFi
- 
-     private static void WriteHeader(Stream s, WebcilHeader header)
-     {
-+        if (!BitConverter.IsLittleEndian)
-+        {
-+            webcilHeader.version_major = BinaryPrimitives.ReverseEndianness(webcilHeader.version_major);
-+            webcilHeader.version_minor = BinaryPrimitives.ReverseEndianness(webcilHeader.version_minor);
-+            webcilHeader.coff_sections = BinaryPrimitives.ReverseEndianness(webcilHeader.coff_sections);
-+            webcilHeader.pe_cli_header_rva = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_cli_header_rva);
-+            webcilHeader.pe_cli_header_size = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_cli_header_size);
-+            webcilHeader.pe_debug_rva = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_debug_rva);
-+            webcilHeader.pe_debug_size = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_debug_size);
-+        }
-         WriteStructure(s, header);
-     }
- 
-@@ -203,21 +213,6 @@ private static void WriteSectionHeader(Stream s, WebcilSectionHeader sectionHead
-         WriteStructure(s, sectionHeader);
-     }
- 
--    private static void WriteStructure(Stream s, WebcilHeader webcilHeader)
--    {
--        if (!BitConverter.IsLittleEndian)
--        {
--            webcilHeader.version_major = BinaryPrimitives.ReverseEndianness(webcilHeader.version_major);
--            webcilHeader.version_minor = BinaryPrimitives.ReverseEndianness(webcilHeader.version_minor);
--            webcilHeader.coff_sections = BinaryPrimitives.ReverseEndianness(webcilHeader.coff_sections);
--            webcilHeader.pe_cli_header_rva = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_cli_header_rva);
--            webcilHeader.pe_cli_header_size = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_cli_header_size);
--            webcilHeader.pe_debug_rva = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_debug_rva);
--            webcilHeader.pe_debug_size = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_debug_size);
--        }
--        WriteStructure(s, webcilHeader);
--    }
--
- #if NETCOREAPP2_1_OR_GREATER
-     private static void WriteStructure<T>(Stream s, T structure)
-         where T : unmanaged
-
-From cecf4f09f0c52340c753811098f0f2d9593049aa Mon Sep 17 00:00:00 2001
-From: Aleksey Kliger <alklig@microsoft.com>
-Date: Thu, 21 Sep 2023 14:36:20 -0400
-Subject: [PATCH 3/3] rename var
-
----
- src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-index fc95eded5bc33..13c34bde4b8ea 100644
---- a/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-+++ b/src/runtime/src/tasks/Microsoft.NET.WebAssembly.Webcil/WebcilConverter.cs
-@@ -175,7 +175,7 @@ public unsafe void GatherInfo(PEReader peReader, out WCFileInfo wcInfo, out PEFi
-                                 SectionStart: firstWCSection);
-     }
- 
--    private static void WriteHeader(Stream s, WebcilHeader header)
-+    private static void WriteHeader(Stream s, WebcilHeader webcilHeader)
-     {
-         if (!BitConverter.IsLittleEndian)
-         {
-@@ -187,7 +187,7 @@ private static void WriteHeader(Stream s, WebcilHeader header)
-             webcilHeader.pe_debug_rva = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_debug_rva);
-             webcilHeader.pe_debug_size = BinaryPrimitives.ReverseEndianness(webcilHeader.pe_debug_size);
-         }
--        WriteStructure(s, header);
-+        WriteStructure(s, webcilHeader);
-     }
- 
-     private static void WriteSectionHeaders(Stream s, ImmutableArray<WebcilSectionHeader> sectionsHeaders)

runtime-92920-multiple-ssl-dirs.patch

@@ -1,416 +0,0 @@
-From 9aec1e3b0b9ddc02b81bd115399f8951288b261b Mon Sep 17 00:00:00 2001
-From: Tom Deseyn <tom.deseyn@gmail.com>
-Date: Wed, 11 Oct 2023 18:32:20 +0200
-Subject: [PATCH] Support specifying multiple directories through SSL_CERT_DIR
-
-Co-authored-by: Jeremy Barton <jbarton@microsoft.com>
-Co-authored-by: Kevin Jones <vcsjones@github.com>
----
- .../OpenSslCachedSystemStoreProvider.cs       | 232 +++++++++---------
- .../X509Certificates/X509StoreTests.Unix.cs   |  42 +++-
- 2 files changed, 157 insertions(+), 117 deletions(-)
-
-diff --git a/src/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslCachedSystemStoreProvider.cs b/src/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslCachedSystemStoreProvider.cs
-index 4c9643c01e2..e66b3d1ad11 100644
---- a/src/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslCachedSystemStoreProvider.cs
-+++ b/src/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslCachedSystemStoreProvider.cs
-@@ -21,14 +21,14 @@ internal sealed class OpenSslCachedSystemStoreProvider : IStorePal
-         private static readonly TimeSpan s_lastWriteRecheckInterval = TimeSpan.FromSeconds(5);
-         private static readonly TimeSpan s_assumeInvalidInterval = TimeSpan.FromMinutes(5);
-         private static readonly Stopwatch s_recheckStopwatch = new Stopwatch();
--        private static DirectoryInfo? s_rootStoreDirectoryInfo = SafeOpenRootDirectoryInfo();
-+        private static string[]? s_rootStoreDirectories;
-         private static bool s_defaultRootDir;
--        private static readonly FileInfo? s_rootStoreFileInfo = SafeOpenRootFileInfo();
-+        private static string? s_rootStoreFile;
-+        private static DateTime[]? s_directoryLastWrite;
-+        private static DateTime s_fileLastWrite;
- 
-         // Use non-Value-Tuple so that it's an atomic update.
-         private static Tuple<SafeX509StackHandle, SafeX509StackHandle>? s_nativeCollections;
--        private static DateTime s_directoryCertsLastWrite;
--        private static DateTime s_fileCertsLastWrite;
- 
-         private readonly bool _isRoot;
- 
-@@ -93,18 +93,11 @@ public void Remove(ICertificatePal cert)
-             {
-                 lock (s_recheckStopwatch)
-                 {
--                    FileInfo? fileInfo = s_rootStoreFileInfo;
--                    DirectoryInfo? dirInfo = s_rootStoreDirectoryInfo;
--
--                    fileInfo?.Refresh();
--                    dirInfo?.Refresh();
--
-                     if (ret == null ||
-                         elapsed > s_assumeInvalidInterval ||
--                        (fileInfo != null && fileInfo.Exists && ContentWriteTime(fileInfo) != s_fileCertsLastWrite) ||
--                        (dirInfo != null && dirInfo.Exists && ContentWriteTime(dirInfo) != s_directoryCertsLastWrite))
-+                        LastWriteTimesHaveChanged())
-                     {
--                        ret = LoadMachineStores(dirInfo, fileInfo);
-+                        ret = LoadMachineStores();
-                     }
-                 }
-             }
-@@ -113,9 +106,37 @@ public void Remove(ICertificatePal cert)
-             return ret;
-         }
- 
--        private static Tuple<SafeX509StackHandle, SafeX509StackHandle> LoadMachineStores(
--            DirectoryInfo? rootStorePath,
--            FileInfo? rootStoreFile)
-+        private static bool LastWriteTimesHaveChanged()
-+        {
-+            Debug.Assert(
-+                Monitor.IsEntered(s_recheckStopwatch),
-+                "LastWriteTimesHaveChanged assumes a lock(s_recheckStopwatch)");
-+
-+            if (s_rootStoreFile != null)
-+            {
-+                _ = TryStatFile(s_rootStoreFile, out DateTime lastModified);
-+                if (lastModified != s_fileLastWrite)
-+                {
-+                    return true;
-+                }
-+            }
-+
-+            if (s_rootStoreDirectories != null && s_directoryLastWrite != null)
-+            {
-+                for (int i = 0; i < s_rootStoreDirectories.Length; i++)
-+                {
-+                    _ = TryStatDirectory(s_rootStoreDirectories[i], out DateTime lastModified);
-+                    if (lastModified != s_directoryLastWrite[i])
-+                    {
-+                        return true;
-+                    }
-+                }
-+            }
-+
-+            return false;
-+        }
-+
-+        private static Tuple<SafeX509StackHandle, SafeX509StackHandle> LoadMachineStores()
-         {
-             Debug.Assert(
-                 Monitor.IsEntered(s_recheckStopwatch),
-@@ -126,61 +147,76 @@ public void Remove(ICertificatePal cert)
-             SafeX509StackHandle intermedStore = Interop.Crypto.NewX509Stack();
-             Interop.Crypto.CheckValidOpenSslHandle(intermedStore);
- 
--            DateTime newFileTime = default;
--            DateTime newDirTime = default;
--
-             var uniqueRootCerts = new HashSet<X509Certificate2>();
-             var uniqueIntermediateCerts = new HashSet<X509Certificate2>();
-             bool firstLoad = (s_nativeCollections == null);
- 
--            if (rootStoreFile != null && rootStoreFile.Exists)
-+            if (firstLoad)
-             {
--                newFileTime = ContentWriteTime(rootStoreFile);
--                ProcessFile(rootStoreFile);
-+                s_rootStoreDirectories = GetRootStoreDirectories(out s_defaultRootDir);
-+                s_directoryLastWrite = new DateTime[s_rootStoreDirectories.Length];
-+                s_rootStoreFile = GetRootStoreFile();
-+            }
-+            else
-+            {
-+                Debug.Assert(s_rootStoreDirectories is not null);
-+                Debug.Assert(s_directoryLastWrite is not null);
-+            }
-+
-+            if (s_rootStoreFile != null)
-+            {
-+                ProcessFile(s_rootStoreFile, out s_fileLastWrite);
-             }
- 
-             bool hasStoreData = false;
- 
--            if (rootStorePath != null && rootStorePath.Exists)
-+            for (int i = 0; i < s_rootStoreDirectories.Length; i++)
-             {
--                newDirTime = ContentWriteTime(rootStorePath);
--                hasStoreData = ProcessDir(rootStorePath);
-+                hasStoreData = ProcessDir(s_rootStoreDirectories[i], out s_directoryLastWrite[i]);
-             }
- 
-             if (firstLoad && !hasStoreData && s_defaultRootDir)
-             {
--                DirectoryInfo etcSslCerts = new DirectoryInfo("/etc/ssl/certs");
--
--                if (etcSslCerts.Exists)
-+                const string DefaultCertDir = "/etc/ssl/certs";
-+                hasStoreData = ProcessDir(DefaultCertDir, out DateTime lastModified);
-+                if (hasStoreData)
-                 {
--                    DateTime tmpTime = ContentWriteTime(etcSslCerts);
--                    hasStoreData = ProcessDir(etcSslCerts);
--
--                    if (hasStoreData)
--                    {
--                        newDirTime = tmpTime;
--                        s_rootStoreDirectoryInfo = etcSslCerts;
--                    }
-+                    s_rootStoreDirectories = new[] { DefaultCertDir };
-+                    s_directoryLastWrite = new[] { lastModified };
-                 }
-             }
- 
--            bool ProcessDir(DirectoryInfo dir)
-+            bool ProcessDir(string dir, out DateTime lastModified)
-             {
-+                if (!TryStatDirectory(dir, out lastModified))
-+                {
-+                    return false;
-+                }
-+
-                 bool hasStoreData = false;
- 
--                foreach (FileInfo file in dir.EnumerateFiles())
-+                foreach (string file in Directory.EnumerateFiles(dir))
-                 {
--                    hasStoreData |= ProcessFile(file);
-+                    hasStoreData |= ProcessFile(file, out _, skipStat: true);
-                 }
- 
-                 return hasStoreData;
-             }
- 
--            bool ProcessFile(FileInfo file)
-+            bool ProcessFile(string file, out DateTime lastModified, bool skipStat = false)
-             {
-                 bool readData = false;
- 
--                using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(file.FullName, "rb"))
-+                if (skipStat)
-+                {
-+                    lastModified = default;
-+                }
-+                else if (!TryStatFile(file, out lastModified))
-+                {
-+                    return false;
-+                }
-+
-+                using (SafeBioHandle fileBio = Interop.Crypto.BioNewFile(file, "rb"))
-                 {
-                     // The handle may be invalid, for example when we don't have read permission for the file.
-                     if (fileBio.IsInvalid)
-@@ -274,114 +310,78 @@ bool ProcessFile(FileInfo file)
-             // on every call.
- 
-             Volatile.Write(ref s_nativeCollections, newCollections);
--            s_directoryCertsLastWrite = newDirTime;
--            s_fileCertsLastWrite = newFileTime;
-             s_recheckStopwatch.Restart();
-             return newCollections;
-         }
- 
--        private static FileInfo? SafeOpenRootFileInfo()
-+        private static string? GetRootStoreFile()
-         {
-             string? rootFile = Interop.Crypto.GetX509RootStoreFile();
- 
-             if (!string.IsNullOrEmpty(rootFile))
-             {
--                try
--                {
--                    return new FileInfo(rootFile);
--                }
--                catch (ArgumentException)
--                {
--                    // If SSL_CERT_FILE is set to the empty string, or anything else which gives
--                    // "The path is not of a legal form", then the GetX509RootStoreFile value is ignored.
--                }
-+                return Path.GetFullPath(rootFile);
-             }
- 
-             return null;
-         }
- 
--        private static DirectoryInfo? SafeOpenRootDirectoryInfo()
-+        private static string[] GetRootStoreDirectories(out bool isDefault)
-         {
--            string? rootDirectory = Interop.Crypto.GetX509RootStorePath(out s_defaultRootDir);
-+            string rootDirectory = Interop.Crypto.GetX509RootStorePath(out isDefault) ?? "";
- 
--            if (!string.IsNullOrEmpty(rootDirectory))
--            {
--                try
--                {
--                    return new DirectoryInfo(rootDirectory);
--                }
--                catch (ArgumentException)
--                {
--                    // If SSL_CERT_DIR is set to the empty string, or anything else which gives
--                    // "The path is not of a legal form", then the GetX509RootStoreFile value is ignored.
--                }
--            }
--
--            return null;
--        }
--
--        private static DateTime ContentWriteTime(FileInfo info)
--        {
--            string path = info.FullName;
--            string? target = Interop.Sys.ReadLink(path);
--
--            if (string.IsNullOrEmpty(target))
--            {
--                return info.LastWriteTimeUtc;
--            }
-+            string[] directories = rootDirectory.Split(Path.PathSeparator, StringSplitOptions.RemoveEmptyEntries);
- 
--            if (target[0] != '/')
-+            for (int i = 0; i < directories.Length; i++)
-             {
--                target = Path.Join(info.Directory?.FullName, target);
-+                directories[i] = Path.GetFullPath(directories[i]);
-             }
- 
--            try
-+            // Remove duplicates.
-+            if (directories.Length > 1)
-             {
--                var targetInfo = new FileInfo(target);
--
--                if (targetInfo.Exists)
-+                var set = new HashSet<string>(directories, StringComparer.Ordinal);
-+                if (set.Count != directories.Length)
-                 {
--                    return targetInfo.LastWriteTimeUtc;
-+                    // Preserve the original order.
-+                    string[] directoriesTrimmed = new string[set.Count];
-+                    int j = 0;
-+                    for (int i = 0; i < directories.Length; i++)
-+                    {
-+                        string directory = directories[i];
-+                        if (set.Remove(directory))
-+                        {
-+                            directoriesTrimmed[j++] = directory;
-+                        }
-+                    }
-+                    Debug.Assert(set.Count == 0);
-+                    directories = directoriesTrimmed;
-                 }
-             }
--            catch (ArgumentException)
--            {
--                // If we can't load information about the link path, just treat it as not a link.
--            }
- 
--            return info.LastWriteTimeUtc;
-+            return directories;
-         }
- 
--        private static DateTime ContentWriteTime(DirectoryInfo info)
--        {
--            string path = info.FullName;
--            string? target = Interop.Sys.ReadLink(path);
--
--            if (string.IsNullOrEmpty(target))
--            {
--                return info.LastWriteTimeUtc;
--            }
-+        private static bool TryStatFile(string path, out DateTime lastModified)
-+            => TryStat(path, Interop.Sys.FileTypes.S_IFREG, out lastModified);
- 
--            if (target[0] != '/')
--            {
--                target = Path.Join(info.Parent?.FullName, target);
--            }
-+        private static bool TryStatDirectory(string path, out DateTime lastModified)
-+            => TryStat(path, Interop.Sys.FileTypes.S_IFDIR, out lastModified);
- 
--            try
--            {
--                var targetInfo = new DirectoryInfo(target);
-+        private static bool TryStat(string path, int fileType, out DateTime lastModified)
-+        {
-+            lastModified = default;
- 
--                if (targetInfo.Exists)
--                {
--                    return targetInfo.LastWriteTimeUtc;
--                }
--            }
--            catch (ArgumentException)
-+            Interop.Sys.FileStatus status;
-+            // Use Stat to follow links.
-+            if (Interop.Sys.Stat(path, out status) < 0 ||
-+                (status.Mode & Interop.Sys.FileTypes.S_IFMT) != fileType)
-             {
--                // If we can't load information about the link path, just treat it as not a link.
-+                return false;
-             }
- 
--            return info.LastWriteTimeUtc;
-+            lastModified = DateTime.UnixEpoch + TimeSpan.FromTicks(status.MTime * TimeSpan.TicksPerSecond + status.MTimeNsec / TimeSpan.NanosecondsPerTick);
-+            return true;
-         }
-     }
- }
-diff --git a/src/runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/X509StoreTests.Unix.cs b/src/runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/X509StoreTests.Unix.cs
-index 0efb6c12028..f460d6b9bd6 100644
---- a/src/runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/X509StoreTests.Unix.cs
-+++ b/src/runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/X509StoreTests.Unix.cs
-@@ -10,7 +10,6 @@ namespace System.Security.Cryptography.X509Certificates.Tests
- {
-     public partial class X509StoreTests
-     {
--
-         [ConditionalFact(nameof(NotRunningAsRootAndRemoteExecutorSupported))] // root can read '2.pem'
-         [PlatformSpecific(TestPlatforms.Linux)] // Windows/OSX doesn't use SSL_CERT_{DIR,FILE}.
-         private void X509Store_MachineStoreLoadSkipsInvalidFiles()
-@@ -50,6 +49,47 @@ private void X509Store_MachineStoreLoadSkipsInvalidFiles()
-             }, new RemoteInvokeOptions { StartInfo = psi }).Dispose();
-         }
- 
-+        [ConditionalFact(typeof(RemoteExecutor), nameof(RemoteExecutor.IsSupported))]
-+        [PlatformSpecific(TestPlatforms.Linux)] // Windows/OSX doesn't use SSL_CERT_{DIR,FILE}.
-+        private void X509Store_MachineStoreLoadsMutipleSslCertDirectories()
-+        {
-+            // Create 3 certificates and place them in two directories that will be passed
-+            // using SSL_CERT_DIR.
-+            string sslCertDir1 = GetTestFilePath();
-+            Directory.CreateDirectory(sslCertDir1);
-+            File.WriteAllBytes(Path.Combine(sslCertDir1, "1.pem"), TestData.SelfSigned1PemBytes);
-+            File.WriteAllBytes(Path.Combine(sslCertDir1, "2.pem"), TestData.SelfSigned2PemBytes);
-+            string sslCertDir2 = GetTestFilePath();
-+            Directory.CreateDirectory(sslCertDir2);
-+            File.WriteAllBytes(Path.Combine(sslCertDir2, "3.pem"), TestData.SelfSigned3PemBytes);
-+
-+            // Add a non-existing directory after each valid directory to verify they are ignored.
-+            string sslCertDir = string.Join(Path.PathSeparator,
-+                new[] {
-+                        sslCertDir1,
-+                        sslCertDir2,
-+                        "",          // empty string
-+                        sslCertDir2, // duplicate directory
-+                        "/invalid2", // path that does not exist
-+            });
-+
-+            var psi = new ProcessStartInfo();
-+            psi.Environment.Add("SSL_CERT_DIR", sslCertDir);
-+            // Set SSL_CERT_FILE to avoid loading the default bundle file.
-+            psi.Environment.Add("SSL_CERT_FILE", "/nonexisting");
-+            RemoteExecutor.Invoke(() =>
-+            {
-+                Assert.NotNull(Environment.GetEnvironmentVariable("SSL_CERT_DIR"));
-+                using (var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine))
-+                {
-+                    store.Open(OpenFlags.OpenExistingOnly);
-+
-+                    // Check nr of certificates in store.
-+                    Assert.Equal(3, store.Certificates.Count);
-+                }
-+            }, new RemoteInvokeOptions { StartInfo = psi }).Dispose();
-+        }
-+
-         public static bool NotRunningAsRootAndRemoteExecutorSupported => !Environment.IsPrivilegedProcess && RemoteExecutor.IsSupported;
-     }
- }
--- 
-2.41.0
-

runtime-openssl-sha1.patch

@@ -0,0 +1,34 @@
+From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001
+From: Tom Deseyn <tom.deseyn@gmail.com>
+Date: Wed, 28 Feb 2024 14:08:15 +0100
+Subject: [PATCH] Allow certificate validation with SHA-1 signatures.
+
+RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate
+validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag
+with a chain where the last certificate uses a SHA-1 signature.
+
+This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default
+OpenSSL behavior for certificate validation.
+---
+ .../libs/System.Security.Cryptography.Native/pal_x509.c      | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+index 04c6ba06cd..2cd3413dae 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
+ 
+     int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
+ 
+-    if (val != 0)
+-    {
+-        X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
+-    }
+-
+     return val;
+ }
+ 
+-- 
+2.43.2
+

runtime-re-enable-implicit-rejection.patch

@@ -0,0 +1,142 @@
+From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001
+From: Omair Majid <omajid@redhat.com>
+Date: Fri, 2 Feb 2024 15:51:23 -0500
+Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)"
+
+This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995.
+
+To quote Clemens Lang:
+
+> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
+> attack against PKCS#1v1.5 decryption. See
+> https://people.redhat.com/~hkario/marvin/ for details and
+> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
+> comment by the researcher who published the vulnerability and proposed the
+> change in OpenSSL.
+
+For more details, see:
+https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
+---
+ .../RSA/EncryptDecrypt.cs                     | 49 ++++---------------
+ .../opensslshim.h                             |  6 ---
+ .../pal_evp_pkey_rsa.c                        | 13 -----
+ 3 files changed, 10 insertions(+), 58 deletions(-)
+
+diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+index 39f3ebc82ec..5b97f468a42 100644
+--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
++++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
+             Assert.Equal(TestData.HelloBytes, output);
+         }
+ 
+-        [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
++        [ConditionalFact]
+         [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
+         public void RoundtripEmptyArray()
+         {
++            if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
++            {
++                throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
++            }
++            if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
++            {
++                throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
++            }
++
+             using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
+             {
+                 void RoundtripEmpty(RSAEncryptionPadding paddingMode)
+@@ -757,23 +746,5 @@ public static IEnumerable<object[]> OaepPaddingModes
+                 }
+             }
+         }
+-
+-        public static bool PlatformSupportsEmptyRSAEncryption
+-        {
+-            get
+-            {
+-                if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+-                {
+-                    return false;
+-                }
+-
+-                if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+-                {
+-                    return false;
+-                }
+-
+-                return true;
+-            }
+-        }
+     }
+ }
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+index 0748e305d5c..cf10d2f7949 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+     REQUIRED_FUNCTION(ERR_peek_error) \
+     REQUIRED_FUNCTION(ERR_peek_error_line) \
+     REQUIRED_FUNCTION(ERR_peek_last_error) \
+-    REQUIRED_FUNCTION(ERR_pop_to_mark) \
+     FALLBACK_FUNCTION(ERR_put_error) \
+     REQUIRED_FUNCTION(ERR_reason_error_string) \
+-    REQUIRED_FUNCTION(ERR_set_mark) \
+     LIGHTUP_FUNCTION(ERR_set_debug) \
+     LIGHTUP_FUNCTION(ERR_set_error) \
+     REQUIRED_FUNCTION(EVP_aes_128_cbc) \
+@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+     REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
+     REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
+-    REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
+     REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
+@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define ERR_peek_error_line ERR_peek_error_line_ptr
+ #define ERR_peek_last_error ERR_peek_last_error_ptr
+ #define ERR_put_error ERR_put_error_ptr
+-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
+ #define ERR_reason_error_string ERR_reason_error_string_ptr
+ #define ERR_set_debug ERR_set_debug_ptr
+-#define ERR_set_mark ERR_set_mark_ptr
+ #define ERR_set_error ERR_set_error_ptr
+ #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
+ #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
+@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
+ #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
+ #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
+-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
+ #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
+ #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
+ #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+index 043bf9f9d1e..c9ccdf33e3a 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
+         {
+             return false;
+         }
+-
+-        // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
+-        // If the padding is invalid, the decryption operation returns random data.
+-        // See https://github.com/openssl/openssl/pull/13817 for background.
+-        // Some Linux distributions backported this change to previous versions of OpenSSL.
+-        // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
+-        ERR_set_mark();
+-
+-        EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
+-
+-        // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
+-        // current version does not support implicit rejection.
+-        ERR_pop_to_mark();
+     }
+     else
+     {
+-- 
+2.43.0
+

sources

@@ -1 +1,2 @@
-SHA512 (dotnet-v8.0.0-rc.2.23479.6.tar.gz) = 604220e91cfb3b0909b5127ed6b53b0a661f6258dd87068e5eb2f589729fb7b634ce934967e821075f027e0d2e12d15595a2fff57099efba036f760c6eb79493
+SHA512 (dotnet-8.0.5.tar.gz) = 73b2045d99c76fc44a31de992119beaaa66ab460153364adcaccda01e5040c3e2d7a865c9c1b005ba445506295a6d064581a6c258236057b87d8bab5daf9c220
+SHA512 (dotnet-8.0.5.tar.gz.sig) = a7c054fe06f7a857b128908c8df49f720163e7069e4dea1f3cd26431e74ee7283142b8bb47de0710eab6ed47fe68cfd6c9a6d0d4c985480bbeb75811fdd6245c

update-release

@@ -8,7 +8,7 @@ IFS=$'\n\t'
 
 print_usage() {
     echo " Usage:"
-    echo "     ./update-release sdk-version runtime-version [--bug bug-id] [--tarball tarball-name] [--larger-rpm-release]"
+    echo "     ./update-release sdk-version runtime-version [--bug bug-id] [--tarball tarball-name] [--release-json release-json] [--larger-rpm-release]"
 }
 
 user_provided_tarball_name=""
@@ -28,6 +28,11 @@ while [[ "$#" -gt 0 ]]; do
             print_usage
             exit 0
             ;;
+        --release-json)
+            release_json="$2"
+            shift;
+            shift;
+            ;;
         --tarball)
             user_provided_tarball_name="$2"
             shift;
@@ -61,46 +66,68 @@ fi
 
 host_version="$runtime_version"
 
-if [[ "$runtime_version" == "3.1"* ]]; then
-    tag=v${sdk_version}-SDK
-elif [[ "$runtime_version" == "6.0"* ]] || [[ "$runtime_version" == "7.0"* ]]; then
+if [[ "$runtime_version" == "6.0"* ]] || [[ "$runtime_version" == "7.0"* ]] ; then
     tag=v${sdk_version}
 else
     tag=v${runtime_version}
 fi
 
-if [[ -f "dotnet-${tag}-original.tar.gz" ]]; then
-    echo "dotnet-${tag}-original.tar.gz alredy exists, not rebuilding tarball"
-else
-    if [[ -n "${user_provided_tarball_name}" ]]; then
-        mv "$user_provided_tarball_name" "dotnet-${tag}-original.tar.gz"
-    elif [[ -f "dotnet-${sdk_version}-SDK.tar.gz" ]]; then
-        mv "dotnet-${sdk_version}-SDK.tar.gz" "dotnet-${tag}-original.tar.gz"
-    elif [[ -f "dotnet-${sdk_version}.tar.gz" ]]; then
-        mv "dotnet-${sdk_version}.tar.gz" "dotnet-${tag}-original.tar.gz"
-    elif [[ -f "dotnet-${runtime_version}.tar.gz" ]]; then
-        mv "dotnet-${runtime_version}.tar.gz" "dotnet-${tag}-original.tar.gz"
-    fi
-fi
-
-if [[ ! -f "dotnet-${tag}.tar.gz" ]]; then
-    ./build-dotnet-tarball "${tag}"
-fi
-
 set -x
 
 sed -i -E "s|^%global host_version [[:digit:]]\.[[:digit:]]\.[[:digit:]]+|%global host_version ${host_version}|" "$spec_file"
 sed -i -E "s|^%global runtime_version [[:digit:]]\.[[:digit:]]\.[[:digit:]]+|%global runtime_version ${runtime_version}|" "$spec_file"
 sed -i -E "s|^%global sdk_version [[:digit:]]\.[[:digit:]]\.[[:digit:]][[:digit:]][[:digit:]]|%global sdk_version ${sdk_version}|" "$spec_file"
 
+
+if [[ "$runtime_version" == "6.0"* ]] || [[ "$runtime_version" == "7.0"* ]] ; then
+    if [[ -f "dotnet-${tag}.tar.gz" ]]; then
+        echo "dotnet-${tag}.tar.gz already exists, not rebuilding tarball"
+    else
+        if [[ -f "dotnet-${tag}-original.tar.gz" ]]; then
+            echo "dotnet-${tag}-original.tar.gz alredy exists, not rebuilding tarball"
+        else
+            if [[ -n "${user_provided_tarball_name}" ]]; then
+                cp -a "$user_provided_tarball_name" "dotnet-${tag}-original.tar.gz"
+            elif [[ -f "dotnet-${sdk_version}-SDK.tar.gz" ]]; then
+                cp -a "dotnet-${sdk_version}-SDK.tar.gz" "dotnet-${tag}-original.tar.gz"
+            elif [[ -f "dotnet-${sdk_version}.tar.gz" ]]; then
+                cp -a "dotnet-${sdk_version}.tar.gz" "dotnet-${tag}-original.tar.gz"
+            elif [[ -f "dotnet-${runtime_version}.tar.gz" ]]; then
+                cp -a "dotnet-${runtime_version}.tar.gz" "dotnet-${tag}-original.tar.gz"
+            fi
+        fi
+
+        ./build-dotnet-tarball "${tag}"
+    fi
+else
+    if [[ -f "dotnet-${tag}.tar.gz" ]]; then
+        echo "dotnet-${tag}.tar.gz already exists, not rebuilding tarball"
+    elif [[ -n ${user_provided_tarball_name} ]]; then
+        tag_without_v=${tag#v}
+        cp -a "${user_provided_tarball_name}" dotnet-${tag_without_v}.tar.gz
+        cp -a "${user_provided_tarball_name}.sig" dotnet-${tag_without_v}.tar.gz.sig
+        cp -a "${release_json}" release.json
+    else
+        rm -f release.json
+        spectool -g "$spec_file"
+    fi
+fi
+
 comment="Update to .NET SDK ${sdk_version} and Runtime ${runtime_version}"
 commit_message="$comment
 "
 for bug_id in "${bug_ids[@]}"; do
-    comment="$comment
+    if [[ "$bug_id" =~ ^[[:digit:]]+$ ]]; then
+        comment="$comment
 - Resolves: RHBZ#$bug_id"
-    commit_message="$commit_message
+        commit_message="$commit_message
 Resolves: RHBZ#$bug_id"
+    else
+        comment="$comment
+- Resolves: $bug_id"
+        commit_message="$commit_message
+Resolves: $bug_id"
+    fi
 done
 
 echo "$commit_message" > git-commit-message
@@ -113,6 +140,4 @@ sed -i -E 's|^Release:        [[:digit:]]+%|Release:        '"$rpm_release"'%|'
 # See https://stackoverflow.com/questions/18620153/find-matching-text-and-replace-next-line
 sed -i -E '/^%changelog$/!b;n;s/-[[:digit:]]+$/-'"$rpm_release"'/' "$spec_file"
 
-release_json_url=$(spectool -l --sources ./dotnet8.0.spec | grep release.json | cut -d' ' -f2)
-rm "$(basename "$release_json_url")"
-wget "$release_json_url"
+echo "Done updating sources. Commit message in ./git-commit-message"