diff --git a/ruby-3.2.0-Use-SHA256-instead-of-SHA1.patch b/ruby-3.2.0-Use-SHA256-instead-of-SHA1.patch new file mode 100644 index 0000000..1b3395b --- /dev/null +++ b/ruby-3.2.0-Use-SHA256-instead-of-SHA1.patch @@ -0,0 +1,39 @@ +From 9b9825d6cdda053fea49eb2f613bc62bde465e89 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?V=C3=ADt=20Ondruch?= +Date: Wed, 4 Jan 2023 17:23:35 +0100 +Subject: [PATCH] Use SHA256 instead of SHA1 + +Systems such as CentOS 9 / RHEL 9 are moving away from SHA1 disabling it +by default via a system-wide crypto policy. This replaces SHA1 with +SHA256 in similar way as [[1]]. + +[1]: https://github.com/ruby/openssl/pull/554 +--- + spec/ruby/library/openssl/x509/name/verify_spec.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/spec/ruby/library/openssl/x509/name/verify_spec.rb b/spec/ruby/library/openssl/x509/name/verify_spec.rb +index a8bf865bd..6dcfc9946 100644 +--- a/spec/ruby/library/openssl/x509/name/verify_spec.rb ++++ b/spec/ruby/library/openssl/x509/name/verify_spec.rb +@@ -12,7 +12,7 @@ describe "OpenSSL::X509::Name.verify" do + cert.public_key = key.public_key + cert.not_before = Time.now - 10 + cert.not_after = cert.not_before + 365 * 24 * 60 * 60 +- cert.sign key, OpenSSL::Digest.new('SHA1') ++ cert.sign key, OpenSSL::Digest.new('SHA256') + store = OpenSSL::X509::Store.new + store.add_cert(cert) + [store.verify(cert), store.error, store.error_string].should == [true, 0, "ok"] +@@ -28,7 +28,7 @@ describe "OpenSSL::X509::Name.verify" do + cert.public_key = key.public_key + cert.not_before = Time.now - 10 + cert.not_after = Time.now - 5 +- cert.sign key, OpenSSL::Digest.new('SHA1') ++ cert.sign key, OpenSSL::Digest.new('SHA256') + store = OpenSSL::X509::Store.new + store.add_cert(cert) + store.verify(cert).should == false +-- +2.38.1 + diff --git a/ruby.spec b/ruby.spec index ba3b0e1..e5771aa 100644 --- a/ruby.spec +++ b/ruby.spec @@ -101,7 +101,7 @@ Summary: An interpreter of object-oriented scripting language Name: ruby Version: %{ruby_version}%{?development_release} -Release: 176%{?dist} +Release: 177%{?dist} # BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c # ISC: missing/strl{cat,cpy}.c # Public Domain for example for: include/ruby/st.h, strftime.c, missing/*, ... @@ -169,6 +169,13 @@ Patch8: ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch # https://bugs.ruby-lang.org/issues/19297 Patch9: ruby-3.2.0-Revert-Fix-test-syntax-suggest-order.patch Patch10: ruby-3.2.0-Revert-Test-syntax_suggest-by-make-check.patch +# Fix `OpenSSL::X509::CertificateError: invalid digest` errors on ELN. This +# also might help Fedor, if/when +# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2 +# is accepted. +# https://github.com/ruby/spec/pull/990 +# https://bugs.ruby-lang.org/issues/19307 +Patch11: ruby-3.2.0-Use-SHA256-instead-of-SHA1.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -642,6 +649,7 @@ rm -rf ext/fiddle/libffi* %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1568,6 +1576,9 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/TestGCCompact#test_moving_objects_between_siz %changelog +* Thu Jan 05 2023 Vít Ondruch - 3.2.0-177 +- Fix ELN FTBFS due to stronger crypto settings. + * Mon Jan 02 2023 Vít Ondruch - 3.2.0-176 - Upgrade to Ruby 3.2.0.