Disable Full Signing in source-build #12940
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9bfcecd to
6217ed8
Compare
omajid
added a commit
to omajid/dotnet-aspnetcore
that referenced
this pull request
Mar 27, 2023
This property is being added to arcade via dotnet/arcade#12749 and dotnet/arcade#12940 Once this property is added to arcade, it flows correctly to the main aspnetcore build, but not to the build for repo tasks. The repo tasks still need this, otherwise they end up using full signing. Fix that by manually passing the property along (using env var) when building the repo tasks.
wtgodbe
pushed a commit
to dotnet/aspnetcore
that referenced
this pull request
Mar 30, 2023
) This property is being added to arcade via dotnet/arcade#12749 and dotnet/arcade#12940 Once this property is added to arcade, it flows correctly to the main aspnetcore build, but not to the build for repo tasks. The repo tasks still need this, otherwise they end up using full signing. Fix that by manually passing the property along (using env var) when building the repo tasks.
Full Signing requires RSA+SHA1 which is disabled in some environments (eg, RHEL 9, CentOS Stream 9). Default to turning it off. Expose a top-level property to allow Full Signing to be re-enabled by users. The actual implementation of that flag was in dotnet#12749 (commit 3840d43). Once a version of arcade including this fix is used to build the individual repos (in source-build mode) or the VMR, everything should default to public signing. For more context around RSA+SHA1 and the alternative (using public signing), see: - dotnet/runtime#65874 - dotnet/source-build#3202 - dotnet#12515 - dotnet/installer#15873
6217ed8 to
be6bb00
Compare
|
cc @mmitche |
mmitche
approved these changes
Mar 31, 2023
omajid
added a commit
to omajid/dotnet-installer
that referenced
this pull request
Jun 21, 2023
These are no longer needed since dotnet/arcade#12940
omajid
added a commit
to omajid/dotnet-installer
that referenced
this pull request
Jun 21, 2023
These are no longer needed since dotnet/arcade#12940 Fixes: dotnet/source-build#3458
omajid
added a commit
to omajid/dotnet-installer
that referenced
this pull request
Jun 22, 2023
These are no longer needed since dotnet/arcade#12940 Fixes: dotnet/source-build#3458
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Full Signing requires RSA+SHA1 which is disabled in some environments (eg, RHEL 9, CentOS Stream 9). Default to turning it off. Expose a top-level property to allow Full Signing to be re-enabled by users.
The actual implementation of that flag was in #12749 (commit 3840d43).
Once a version of arcade including this fix is used to build the individual repos (in source-build mode) or the VMR, everything should default to public signing.
For more context around RSA+SHA1 and the alternative (using public signing), see:
PublicSign=falsewhen using some full keys #12515To double check: