Skip to content

Add security override for sha1 #3644

Add security override for sha1

Add security override for sha1 #3644

Workflow file for this run

# Copyright (c) 2023 [Ribose Inc](https://www.ribose.com).
# All rights reserved.
# This file is a part of rnp
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
name: ubuntu
on:
push:
branches:
- main
- 'release/**'
paths-ignore:
- '/*.sh'
- '/.*'
- '/_*'
- 'Brewfile'
- 'docs/**'
- '**.adoc'
- '**.md'
- '**.nix'
- 'flake.lock'
- '.github/workflows/*.yml'
- '!.github/workflows/ubuntu.yml'
pull_request:
paths-ignore:
- '/*.sh'
- '/.*'
- '/_*'
- 'Brewfile'
- 'docs/**'
- '**.adoc'
- '**.md'
- '**.nix'
- 'flake.lock'
concurrency:
group: '${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.ref_name }}'
cancel-in-progress: true
jobs:
tests:
name: ${{ matrix.os }} [CC ${{ matrix.env.CC }}; ${{ matrix.backend.name }}; shared libs ${{ matrix.shared_libs }}; GnuPG stable]
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest ]
shared_libs: [ 'on' ]
backend:
- { name: 'botan', package: 'libbotan-2-dev' }
- { name: 'openssl', package: 'libssl-dev' }
env:
- { CC: gcc, CXX: g++ }
- { CC: clang, CXX: clang++ }
include:
# This implies openssl 1.1.1 as opposed to ubuntu-latest which is openssl 3
- os: ubuntu-20.04
shared_libs: 'on'
backend: { name: 'openssl', package: 'libssl-dev' }
env: { CC: gcc, CXX: g++ }
- os: ubuntu-latest
shared_libs: 'off'
backend: { name: 'botan', package: 'libbotan-2-dev' }
env: { CC: gcc, CXX: g++ }
if: "!contains(github.event.head_commit.message, 'skip ci')"
env: ${{ matrix.env }}
timeout-minutes: 50
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
submodules: true
- name: Install dependencies
# Already installed on GHA: build-essential libbz2-dev zlib1g-dev
run: |
sudo apt-get -y update
sudo apt-get -y install cmake libjson-c-dev ${{ matrix.backend.package }} asciidoctor
- name: Configure
run: |
echo CORES="$(nproc --all)" >> $GITHUB_ENV
cmake -B build -DBUILD_SHARED_LIBS=${{ matrix.shared_libs}} \
-DCRYPTO_BACKEND=${{ matrix.backend.name }} \
-DDOWNLOAD_GTEST=ON \
-DCMAKE_BUILD_TYPE=Release .
- name: Build
run: cmake --build build --parallel ${{ env.CORES }}
- name: Test
run: |
mkdir -p "build/Testing/Temporary"
cp "cmake/CTestCostData.txt" "build/Testing/Temporary"
export PATH="$PWD/build/src/lib:$PATH"
ctest --parallel ${{ env.CORES }} --test-dir build --output-on-failure
cmake-offline-googletest-src:
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'skip ci')"
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
submodules: true
- name: Install dependencies
run: |
sudo apt-get -y update
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor googletest
- name: Configure
run: |
echo CORES="$(nproc --all)" >> $GITHUB_ENV
cmake -B build -DBUILD_SHARED_LIBS=ON \
-DCRYPTO_BACKEND=botan \
-DDOWNLOAD_GTEST=OFF \
-DGTEST_SOURCES=/usr/src/googletest \
-DCMAKE_BUILD_TYPE=Release .
- name: Build
run: cmake --build build --parallel ${{ env.CORES }}
- name: Test
run: |
mkdir -p "build/Testing/Temporary"
cp "cmake/CTestCostData.txt" "build/Testing/Temporary"
export PATH="$PWD/build/src/lib:$PATH"
ctest --parallel ${{ env.CORES }} --test-dir build --output-on-failure
- name: Check googletest
run: |
[ -d "build/src/tests" ]
[ -d "build/src/tests/googletest-build" ]
[ ! -d "build/src/tests/googletest-src" ]
cmake-offline-googletest:
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'skip ci')"
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
submodules: true
- name: Install dependencies
run: |
sudo apt-get -y update
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor googletest
- name: Build googletest
run: |
cmake -B googletest-build /usr/src/googletest
cmake --build googletest-build
sudo cmake --install googletest-build
- name: Configure
run: |
echo CORES="$(nproc --all)" >> $GITHUB_ENV
cmake -B build -DBUILD_SHARED_LIBS=ON \
-DCRYPTO_BACKEND=botan \
-DDOWNLOAD_GTEST=OFF \
-DCMAKE_BUILD_TYPE=Release .
- name: Build
run: cmake --build build --parallel ${{ env.CORES }}
- name: Test
run: |
mkdir -p "build/Testing/Temporary"
cp "cmake/CTestCostData.txt" "build/Testing/Temporary"
export PATH="$PWD/build/src/lib:$PATH"
ctest --parallel ${{ env.CORES }} --test-dir build --output-on-failure
- name: Check googletest
run: |
[ -d "build/src/tests" ]
[ ! -d "build/src/tests/googletest-build" ]
[ ! -d "build/src/tests/googletest-src" ]
cmake-system-sexpp:
name: system-sexpp, sexpp shared libs ${{ matrix.sexpp_shared_libs }}, rnp shared libs ${{ matrix.rnp_shared_libs }}
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'skip ci')"
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
sexpp_shared_libs: [ 'on', 'off' ]
rnp_shared_libs: ['on', 'off']
steps:
- name: Install dependencies
run: |
sudo apt-get -y update
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor
- name: Checkout sexpp
uses: actions/checkout@v4
with:
repository: rnpgp/sexpp
path: sexpp
- name: Configure sexpp
run: |
echo CORES="$(nproc --all)" >> $GITHUB_ENV
cmake -S sexpp -B sexpp/build \
-DCMAKE_BUILD_TYPE=Release \
-DDOWNLOAD_GTEST=OFF \
-DWITH_SEXP_TESTS=OFF \
-DBUILD_SHARED_LIBS=${{ matrix.sexpp_shared_libs}}
- name: Build sexpp
run: cmake --build sexpp/build --parallel ${{ env.CORES }}
- name: Install sexpp
run: sudo cmake --install sexpp/build
- name: Clean sexpp
run: rm -rf sexpp
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
submodules: false
- name: Configure
run: |
cmake -B build \
-DBUILD_SHARED_LIBS=${{ matrix.rnp_shared_libs }} \
-DCRYPTO_BACKEND=botan \
-DDOWNLOAD_GTEST=ON \
-DSYSTEM_LIBSEXPP=ON \
-DCMAKE_BUILD_TYPE=Release .
- name: Build
run: cmake --build build --parallel ${{ env.CORES }}
- name: Test
run: |
mkdir -p "build/Testing/Temporary"
cp "cmake/CTestCostData.txt" "build/Testing/Temporary"
export PATH="$PWD/build/src/lib:$PATH"
ctest --parallel ${{ env.CORES }} --test-dir build -R rnp_tests --output-on-failure
package-source:
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'skip ci')"
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
submodules: true
- name: Install dependencies
run: |
sudo apt-get -y update
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor
- name: Configure
run: |
cmake . -B build \
-DBUILD_SHARED_LIBS=ON \
-DBUILD_TESTING=OFF \
-DCMAKE_BUILD_TYPE=Release \
-DCRYPTO_BACKEND=botan \
-DCMAKE_INSTALL_PREFIX=/usr
- name: Package source
run: cpack -B build/source-deb -G DEB --config build/CPackSourceConfig.cmake
- name: Upload source package
uses: actions/upload-artifact@v4
with:
name: 'source-debian'
path: 'build/source-deb/*.deb'
retention-days: 5
- name: Stash packaging tests
uses: actions/upload-artifact@v4
with:
name: tests
path: 'ci/tests/**'
retention-days: 1
package:
runs-on: ubuntu-latest
needs: package-source
if: "!contains(github.event.head_commit.message, 'skip ci')"
timeout-minutes: 30
steps:
- name: Install dependencies
run: |
sudo apt-get -y update
sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor
- name: Download source package
uses: actions/download-artifact@v4
with:
name: 'source-debian'
path: source-debian
- name: Extract sources
run: dpkg-deb --extract source-debian/*.deb rnp
- name: Configure
run: |
echo CORES="$(nproc --all)" >> $GITHUB_ENV
cmake rnp -B rnp/build \
-DBUILD_SHARED_LIBS=ON \
-DBUILD_TESTING=OFF \
-DCMAKE_BUILD_TYPE=Release \
-DCRYPTO_BACKEND=botan \
-DCMAKE_INSTALL_PREFIX=/usr
- name: Build
run: cmake --build rnp/build --config Release --parallel ${{ env.CORES }}
- name: Create binary package
run: cpack -G DEB -B debian --config rnp/build/CPackConfig.cmake
- name: Upload binary package
uses: actions/upload-artifact@v4
with:
name: 'debian'
path: 'debian/*.deb'
retention-days: 5
debian-tests:
runs-on: ubuntu-latest
needs: package
timeout-minutes: 30
steps:
- name: Download enp deb file
uses: actions/download-artifact@v4
with:
name: 'debian'
- name: Checkout shell test framework
uses: actions/checkout@v4
with:
repository: kward/shunit2
path: ci/tests/shunit2
- name: Unstash tests
uses: actions/download-artifact@v4
with:
name: tests
path: ci/tests
- name: Run debian tests
# - no source checkout or upload [we get only test scripts from the previous step using GHA artifacts]
# - no environment set up with rnp scripts
# - no dependencies setup, we test that apt can install whatever is required
run: |
chmod +x ci/tests/deb-tests.sh
ci/tests/deb-tests.sh