Merge 3.0-dev into 3.0 (#8891)

.pipelines/CodeQL/CodeQL.yml

@@ -3,6 +3,8 @@
 
 name: CodeQL CBL-Mariner repository
 
+trigger: none
+
 resources:
   repositories:
     - repository: CBL-Mariner-Pipelines

.pipelines/containerSourceData/nodejs/distroless/nodejs18.pkg

@@ -1,2 +1,3 @@
 distroless-packages-base
 nodejs18
+prebuilt-ca-certificates

.pipelines/containerSourceData/prometheus/distroless/prometheus.pkg

@@ -1,2 +1,3 @@
 distroless-packages-base
+prebuilt-ca-certificates
 prometheus

.pipelines/containerSourceData/prometheusadapter/distroless/prometheusadapter.pkg

@@ -1,2 +1,3 @@
 distroless-packages-base
+prebuilt-ca-certificates
 prometheus-adapter

.pipelines/containerSourceData/python/distroless/python.pkg

@@ -1,2 +1,3 @@
 distroless-packages-base
+prebuilt-ca-certificates
 python3

.pipelines/containerSourceData/scripts/BuildBaseContainers.sh

@@ -194,6 +194,8 @@ function initialization {
 
     ROOT_FOLDER="$(git rev-parse --show-toplevel)"
     EULA_FILE_PATH="$ROOT_FOLDER/.pipelines/container_artifacts/data"
+    END_OF_LIFE_1_YEAR=$(date -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
+    echo "END_OF_LIFE_1_YEAR                    -> $END_OF_LIFE_1_YEAR"
 }
 
 function build_builder_image {
@@ -270,16 +272,31 @@ function docker_build_marinara {
     save_container_image "$MARINARA" "$MARINARA_IMAGE_NAME"
 }
 
+function oras_attach {
+    local image_name=$1
+    oras attach \
+        --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
+        --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$END_OF_LIFE_1_YEAR" \
+        "$image_name"
+}
+
 function publish_to_acr {
     local image=$1
     if [[ ! "$PUBLISH_TO_ACR" =~ [Tt]rue ]]; then
         echo "+++ Skip publishing to ACR"
         return
     fi
+
+    echo "+++ az login into Azure ACR $ACR"
+    local oras_access_token
+    oras_access_token=$(az acr login --name "$ACR" --expose-token --output tsv --query accessToken)
+    oras login "$ACR.azurecr.io" \
+        --username "00000000-0000-0000-0000-000000000000" \
+        --password "$oras_access_token"
+
     echo "+++ Publish container $image"
-    echo "login into ACR: $ACR"
-    az acr login --name "$ACR"
     docker image push "$image"
+    oras_attach "$image"
 }
 
 function save_container_image {

.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh

@@ -200,12 +200,14 @@ function initialization {
     BASE_IMAGE_TAG=${BASE_IMAGE_NAME_FULL#*:}   # 3.0
     AZURE_LINUX_VERSION=${BASE_IMAGE_TAG%.*}    # 3.0
     DISTRO_IDENTIFIER="azl"
+    END_OF_LIFE_1_YEAR=$(date -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
 
     echo "Golden Image Name             -> $GOLDEN_IMAGE_NAME"
     echo "Base ACR Container Name       -> $BASE_IMAGE_NAME"
     echo "Base ACR Container Tag        -> $BASE_IMAGE_TAG"
     echo "Azure Linux Version           -> $AZURE_LINUX_VERSION"
     echo "Distro Identifier             -> $DISTRO_IDENTIFIER"
+    echo "End of Life                   -> $END_OF_LIFE_1_YEAR"
 }
 
 function prepare_dockerfile {
@@ -318,16 +320,31 @@ function finalize {
     echo "$GOLDEN_IMAGE_NAME_FINAL" >> "$OUTPUT_DIR/PublishedContainers-$IMAGE.txt"
 }
 
+function oras_attach {
+    local image_name=$1
+    oras attach \
+        --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
+        --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$END_OF_LIFE_1_YEAR" \
+        "$image_name"
+}
+
 function publish_to_acr {
     CONTAINER_IMAGE=$1
     if [[ ! "$PUBLISH_TO_ACR" =~ [Tt]rue ]]; then
         echo "+++ Skip publishing to ACR"
         return
     fi
+    local oras_access_token
+
+    echo "+++ az login into Azure ACR $ACR"
+    oras_access_token=$(az acr login --name "$ACR" --expose-token --output tsv --query accessToken)
+    oras login "$ACR.azurecr.io" \
+        --username "00000000-0000-0000-0000-000000000000" \
+        --password "$oras_access_token"
+
     echo "+++ Publish container $CONTAINER_IMAGE"
-    echo "login into ACR: $ACR"
-    az acr login --name "$ACR"
     docker image push "$CONTAINER_IMAGE"
+    oras_attach "$CONTAINER_IMAGE"
 }
 
 function generate_image_sbom {

.pipelines/containerSourceData/scripts/PublishContainers.sh

@@ -72,6 +72,32 @@ FILE_EXT='.txt'
 
 OS_VERSION_PREFIX="azurelinux-"
 DISTRO_IDENTIFIER="azl"
+END_OF_LIFE_1_YEAR=$(date -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
+
+# Login to the container registry.
+# Also login ORAS to the container registry.
+# $1: container registry name
+function acr_login {
+    local container_registry=$1
+    local oras_access_token
+
+    echo "+++ az login into Azure ACR $container_registry"
+    oras_access_token=$(az acr login --name "$container_registry" --expose-token --output tsv --query accessToken)
+    oras login "$container_registry.azurecr.io" \
+        --username "00000000-0000-0000-0000-000000000000" \
+        --password "$oras_access_token"
+}
+
+# Attach the end-of-life annotation to the container image.
+# $1: image name
+function oras_attach {
+    local image_name=$1
+
+    oras attach \
+        --artifact-type "application/vnd.microsoft.artifact.lifecycle" \
+        --annotation "vnd.microsoft.artifact.lifecycle.end-of-life.date=$END_OF_LIFE_1_YEAR" \
+        "$image_name"
+}
 
 function create_multi_arch_tags {
     # $1: original container (without '-amd64' or '-arm64' extension in tag)
@@ -165,6 +191,7 @@ function create_multi_arch_tags {
     echo "+++ push $full_multiarch_tag tag"
     docker manifest push "$full_multiarch_tag"
     echo "+++ $full_multiarch_tag tag pushed successfully"
+    oras_attach "$full_multiarch_tag"
 
     # Save the multi-arch tag to a file.
     image_basename=${multiarch_name#*/}
@@ -230,8 +257,7 @@ do
         echo "Image name: $image_name"
         echo
         container_registry="${image_name%%.*}"
-        echo "+++ login into Azure ACR $container_registry"
-        az acr login --name "$container_registry"
+        acr_login "$container_registry"
 
         amd64_image=${image_name%-*}-amd64
         docker pull "$amd64_image"
@@ -243,9 +269,7 @@ do
         fi
 
         if [[ $container_registry != "$TARGET_ACR" ]]; then
-            echo "+++ login into Azure ACR $TARGET_ACR"
-            az acr login --name "$TARGET_ACR"
-
+            acr_login "$TARGET_ACR"
             echo "Retagging the images to $TARGET_ACR"
             # E.g., If container_registry is azurelinuxdevpreview and TARGET_ACR is azurelinuxpreview, then
             # azurelinuxdevpreview.azurecr.io/base/core:3.0 -> azurelinuxpreview.azurecr.io/base/core:3.0
@@ -255,13 +279,15 @@ do
             docker image tag "$amd64_image" "$amd64_retagged_image_name"
             docker rmi "$amd64_image"
             docker image push "$amd64_retagged_image_name"
+            oras_attach "$amd64_retagged_image_name"
 
             if [[ $ARCHITECTURE_TO_BUILD == *"ARM64"*  ]]; then
                 arm64_retagged_image_name=${arm64_image/"$container_registry"/"$TARGET_ACR"}
                 echo "Retagged arm64 image: $arm64_retagged_image_name"
                 docker image tag "$arm64_image" "$arm64_retagged_image_name"
                 docker rmi "$arm64_image"
                 docker image push "$arm64_retagged_image_name"
+                oras_attach "$arm64_retagged_image_name"
             fi
 
             image_name=$amd64_retagged_image_name

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -117,6 +117,7 @@
                 "cim-schema",
                 "cjkuni-uming-fonts",
                 "cjose",
+                "ck",
                 "cldr-emoji-annotation",
                 "clucene",
                 "clutter",

SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "SymCrypt-OpenSSL-1.4.0.tar.gz": "c2494e967dacbbca0aa374d510959c0fda3d43c24c00a5bbb3f284a8fd7c1c9b"
+  "SymCrypt-OpenSSL-1.4.2.tar.gz": "c48ecfac71507a5497bad6ac5df3cbf5d78339f7c4aa6fb382ed8a8e05053377"
  }
 }

SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec

@@ -1,19 +1,22 @@
 Summary:        The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations
 Name:           SymCrypt-OpenSSL
-Version:        1.4.0
+Version:        1.4.2
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System/Libraries
 URL:            https://github.com/microsoft/SymCrypt-OpenSSL
-#Source0:       https://github.com/microsoft/SymCrypt-OpenSSL/archive/v%{version}.tar.gz
-Source0:        %{name}-%{version}.tar.gz
+Source0:        https://github.com/microsoft/SymCrypt-OpenSSL/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+BuildRequires:  openssl-devel
 BuildRequires:  SymCrypt
 BuildRequires:  cmake
 BuildRequires:  gcc
 BuildRequires:  make
 
+Requires:       SymCrypt
+Requires:       openssl
+
 %description
 The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations
 
@@ -54,8 +57,7 @@ install SymCryptEngine/inc/e_scossl.h %{buildroot}%{_includedir}/e_scossl.h
 install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/symcrypt_prov.cnf
 
 %check
-# SslPlay has some dependencies on the 1.1.1 engine behavior that must be updated for 3.0
-# ./bin/SslPlay/SslPlay
+./bin/SslPlay/SslPlay
 
 %files
 %license LICENSE
@@ -65,6 +67,15 @@ install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/sy
 %{_sysconfdir}/pki/tls/symcrypt_prov.cnf
 
 %changelog
+* Thu Apr 25 2024 Maxwell Moyer-McKee <[email protected]> - 1.4.2-1
+- Support additional parameters in the SymCrypt provider required for TLS connections
+- Various bugfixes for TLS scenarios
+
+* Wed Apr 17 2024 Maxwell Moyer-McKee <[email protected]> - 1.4.1-1
+- Update SymCrypt-OpenSSL to v1.4.1
+- Adds support for RSASSA-PSS keys, SP800-108 KDF
+- Fixes smoke test for check in OpenSSL 3.1
+
 * Thu Dec 28 2023 Maxwell Moyer-McKee <[email protected]> - 1.4.0-1
 - Update SymCrypt-OpenSSL to v1.4.0.
 - Adds SymCrypt-OpenSSL provider for OpenSSL 3.

SPECS/SymCrypt/SymCrypt.spec

@@ -2,7 +2,7 @@
 Summary:        A core cryptographic library written by Microsoft
 Name:           SymCrypt
 Version:        103.4.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,7 +35,7 @@ A core cryptographic library written by Microsoft
 %define symcrypt_arch ARM64
 # Currently SymCrypt ARM64 build requires use of clang
 %define symcrypt_cc clang
-%define symcrypt_c_flags "-Wno-conditional-uninitialized"
+%define symcrypt_c_flags "-mno-outline-atomics -Wno-conditional-uninitialized"
 %define symcrypt_cxx clang++
 %endif
 
@@ -78,6 +78,9 @@ chmod 755 %{buildroot}%{_libdir}/libsymcrypt.so.%{version}
 %{_includedir}/*
 
 %changelog
+* Thu Apr 25 2024 Maxwell Moyer-McKee <[email protected]> - 103.4.1-2
+- Disable outline atomics in aarch64 builds
+
 * Thu Dec 28 2023 Maxwell Moyer-McKee <[email protected]> - 103.4.1-1
 - Update SymCrypt to v103.4.1 for SymCrypt-OpenSSL provider.
 

SPECS/autoconf-archive/autoconf-archive.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "autoconf-archive-2021.02.19.tar.xz": "e8a6eb9d28ddcba8ffef3fa211653239e9bf239aba6a01a6b7cfc7ceaec69cbd"
+  "autoconf-archive-2023.02.20.tar.xz": "71d4048479ae28f1f5794619c3d72df9c01df49b1c628ef85fde37596dc31a33"
  }
 }

SPECS/autoconf-archive/autoconf-archive.spec

@@ -1,27 +1,30 @@
 %define debug_package %{nil}
 
-Summary:	Autoconf macro archive
-Name:		autoconf-archive
-Version:	2021.02.19
-Release:    1%{?dist}
-License:	GPLv3+
-URL:		https://www.gnu.org/software/autoconf-archive
-Group:		System Environment/Base
+Summary:        Autoconf macro archive
+Name:           autoconf-archive
+Version:        2023.02.20
+Release:        1%{?dist}
+License:        GPLv3+
+URL:            https://www.gnu.org/software/autoconf-archive
+Group:          System Environment/Base
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
-Source0:	https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
+Source0:        https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
 
-BuildArch:  noarch
-Requires:	autoconf
+BuildArch:      noarch
+Requires:       autoconf
 
 %description
 The package contains programs for producing shell scripts that can
 automatically configure source code.
+
 %prep
 %setup -q
+
 %build
 %configure
 make
+
 %install
 make install DESTDIR=%{buildroot} INSTALL="install -p"
 rm -rf %{buildroot}%{_infodir}
@@ -33,10 +36,15 @@ rm -frv %{buildroot}%{_datadir}/%{name}
 %{_datadir}/aclocal/*.m4
 
 %changelog
-*   Thu Jan 06 2022 Nicolas Guibourge <[email protected]> 2021.02.19-1
--   Upgrade to 2021.02.19
--   License verified
-*   Tue Sep 03 2019 Mateusz Malisz <[email protected]> 2018.03.13-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Mon Sep 10 2018 Anish Swaminathan <[email protected]> 2018.03.13-1
--   Initial build
+* Mon Apr 22 2024 Andrew Phelps <[email protected]> - 2023.02.20-1
+- Upgrade to 2023.02.20
+
+* Thu Jan 06 2022 Nicolas Guibourge <[email protected]> - 2021.02.19-1
+- Upgrade to 2021.02.19
+- License verified
+
+* Tue Sep 03 2019 Mateusz Malisz <[email protected]> - 2018.03.13-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Mon Sep 10 2018 Anish Swaminathan <[email protected]> - 2018.03.13-1
+- Initial build

SPECS/azurelinux-release/azurelinux-release.spec

@@ -5,7 +5,7 @@
 Summary:        Azure Linux release files
 Name:           azurelinux-release
 Version:        %{dist_version}.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -118,6 +118,9 @@ install -Dm0644 %{SOURCE4} -t %{buildroot}%{_sysctldir}/
 %{_sysctldir}/*.conf
 
 %changelog
+* Wed Apr 24 2024 Sam Meluch <[email protected]> - 3.0-10
+- Azure Linux 3.0 April Preview Release 4
+
 * Wed Apr 17 2024 Sam Meluch <[email protected]> - 3.0-9
 - Azure Linux 3.0 April Preview Release 3