public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Matthew Burket <mburket@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openscap] rawhide: Add upstream PRs to fix tests
Date: Fri, 26 Jun 2026 15:46:22 GMT [thread overview]
Message-ID: <178248878215.1.10771072973263957789.rpms-openscap-b5b5a2e4541e@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openscap
Branch : rawhide
Commit : b5b5a2e4541e028ec243ad7a08c5b183d92340df
Author : Matthew Burket <mburket@redhat.com>
Date : 2026-06-24T12:52:13-05:00
Stats : +200/-1 in 3 file(s)
URL : https://src.fedoraproject.org/rpms/openscap/c/b5b5a2e4541e028ec243ad7a08c5b183d92340df?branch=rawhide
Log:
Add upstream PRs to fix tests
---
diff --git a/2343.patch b/2343.patch
new file mode 100644
index 0000000..0ed0c8c
--- /dev/null
+++ b/2343.patch
@@ -0,0 +1,39 @@
+From 32fb2674256cabe003b2c391475b6e760035a205 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 22 Apr 2026 16:31:37 +0200
+Subject: [PATCH] Skip verifying RPM signatures in tests
+
+Our tests install some dummy test RPM pacakges. Starting from
+rpm version 6.0.0 rpm by default requires veryfing signatures.
+Our dummy packages aren't signed, which causes that they aren't
+installed and the tests fail.
+
+This commit should fix the broken CI on Rawhide.
+
+Addressing:
+package foobar-1.0-1.noarch does not verify: no signature
+
+The following tests FAILED:
+ 228 - probes/rpm/rpminfo/test_probes_rpminfo_offline.sh (Failed)
+ 230 - probes/rpm/rpmverify/test_probes_rpmverify_not_equals_operation_offline.sh (Failed)
+ 233 - probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_offline.sh (Failed)
+ 235 - probes/rpm/rpmverifypackage/test_probes_rpmverifypackage_offline.sh (Failed)
+---
+ tests/probes/rpm/rpm_common.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/probes/rpm/rpm_common.sh b/tests/probes/rpm/rpm_common.sh
+index eb96f76d80..909ad6ad39 100755
+--- a/tests/probes/rpm/rpm_common.sh
++++ b/tests/probes/rpm/rpm_common.sh
+@@ -31,8 +31,8 @@ function rpm_prepare_offline {
+ cp /usr/lib/rpm/rpmrc ${RPMTEST}/usr/lib/rpm/rpmrc
+ cp /usr/lib/rpm/macros ${RPMTEST}/usr/lib/rpm/macros
+ rpm_build
+- rpm -i ${RPMBUILD}/RPMS/noarch/foobar-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}"
+- rpm -i ${RPMBUILD}/RPMS/noarch/foo-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}"
++ rpm -i --nosignature ${RPMBUILD}/RPMS/noarch/foobar-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}"
++ rpm -i --nosignature ${RPMBUILD}/RPMS/noarch/foo-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}"
+ }
+
+ function rpm_cleanup_offline {
diff --git a/2360.patch b/2360.patch
new file mode 100644
index 0000000..7e05165
--- /dev/null
+++ b/2360.patch
@@ -0,0 +1,155 @@
+From 4e6cfa55b3e1bd2e851c7c9e1757f2a4bba28da5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 28 May 2026 09:30:27 +0200
+Subject: [PATCH] Fix segmenatation fault with xmlsec1 >= 1.3
+
+- Patch openscap src/source/signature.c to not call
+ `xmlSecCryptoAppShutdown()` after signature validation
+- xmlsec1 1.3 (PR #1133) added `OPENSSL_cleanup()` to this path to fix
+ valgrind warnings, but `OPENSSL_cleanup()` is irreversible and destroys
+ all process-global OpenSSL state
+- Any subsequent OpenSSL usage (e.g. librpm probe threads) segfaults
+- The patch initializes xmlsec/OpenSSL once per process via
+ `pthread_once` and removes the shutdown calls
+
+Patch authored by: @p5
+
+Fixes: https://github.com/OpenSCAP/openscap/issues/2358
+---
+ src/source/signature.c | 96 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 64 insertions(+), 32 deletions(-)
+
+diff --git a/src/source/signature.c b/src/source/signature.c
+index d3d888688a..c9733b4dc0 100644
+--- a/src/source/signature.c
++++ b/src/source/signature.c
+@@ -27,6 +27,9 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <assert.h>
++#ifdef OSCAP_THREAD_SAFE
++#include <pthread.h>
++#endif
+
+ #include <libxml/tree.h>
+ #include <libxml/xmlmemory.h>
+@@ -46,6 +49,47 @@
+ #include "oscap_source_priv.h"
+ #include "signature_priv.h"
+
++#ifdef OSCAP_THREAD_SAFE
++static pthread_once_t xmlsec_init_once = PTHREAD_ONCE_INIT;
++#else
++static bool xmlsec_init_done = false;
++#endif
++static int xmlsec_init_result = -1;
++
++static void _xmlsec_init(void)
++{
++ if (xmlSecInit() < 0) {
++ oscap_seterr(OSCAP_EFAMILY_XML, "Xmlsec initialization failed.");
++ return;
++ }
++ if (xmlSecCheckVersion() != 1) {
++ oscap_seterr(OSCAP_EFAMILY_XML, "Loaded xmlsec library version is not compatible.");
++ return;
++ }
++ if (xmlSecCryptoAppInit(NULL) < 0) {
++ oscap_seterr(OSCAP_EFAMILY_XML, "Crypto initialization failed.");
++ return;
++ }
++ if (xmlSecCryptoInit() < 0) {
++ oscap_seterr(OSCAP_EFAMILY_XML, "Xmlsec-crypto initialization failed.");
++ return;
++ }
++ xmlsec_init_result = 0;
++}
++
++static int _xmlsec_ensure_init(void)
++{
++#ifdef OSCAP_THREAD_SAFE
++ pthread_once(&xmlsec_init_once, _xmlsec_init);
++#else
++ if (!xmlsec_init_done) {
++ xmlsec_init_done = true;
++ _xmlsec_init();
++ }
++#endif
++ return xmlsec_init_result;
++}
++
+ struct oscap_signature_ctx {
+ const char *pubkey_pem; // path to the public key file in PEM format
+ const char *pubkey_cert_pem; // path to the public key certificate file in PEM format
+@@ -131,28 +175,20 @@ static int _oscap_signature_validate_doc(xmlDocPtr doc, oscap_document_type_t sc
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+
+- /* Init xmlsec library */
+- if (xmlSecInit() < 0) {
+- oscap_seterr(OSCAP_EFAMILY_XML, "Xmlsec initialization failed.");
+- return(-1);
+- }
+-
+- /* Check loaded library version */
+- if (xmlSecCheckVersion() != 1) {
+- oscap_seterr(OSCAP_EFAMILY_XML, "Loaded xmlsec library version is not compatible.");
+- return(-1);
+- }
+-
+- /* Init crypto library */
+- if (xmlSecCryptoAppInit(NULL) < 0) {
+- oscap_seterr(OSCAP_EFAMILY_XML, "Crypto initialization failed.");
+- return(-1);
+- }
+-
+- /* Init xmlsec-crypto library */
+- if (xmlSecCryptoInit() < 0) {
+- oscap_seterr(OSCAP_EFAMILY_XML, "Xmlsec-crypto initialization failed.");
+- return(-1);
++ /* Initialize xmlsec and crypto libraries once per process.
++ *
++ * xmlSecCryptoAppShutdown() calls OPENSSL_cleanup() which is
++ * irreversible and destroys all process-global OpenSSL state
++ * including threading locks. Other libraries in the same process
++ * (e.g. librpm) continue to use OpenSSL after signature validation
++ * completes. Calling OPENSSL_cleanup() while they are active causes
++ * a segfault in CRYPTO_THREAD_write_lock.
++ *
++ * The xmlsec/OpenSSL libraries are designed to be initialized once
++ * and remain active for the process lifetime. Treat them as such.
++ */
++ if (_xmlsec_ensure_init() < 0) {
++ goto cleanup;
+ }
+
+ /* find Signature node */
+@@ -261,22 +297,18 @@ static int _oscap_signature_validate_doc(xmlDocPtr doc, oscap_document_type_t sc
+ }
+
+ cleanup:
+- /* cleanup */
++ /* cleanup per-validation resources only */
+ if (dsigCtx != NULL)
+ xmlSecDSigCtxDestroy(dsigCtx);
+
+- /* destroy keys manager */
+ if (mngr != NULL)
+ xmlSecKeysMngrDestroy(mngr);
+
+- /* Shutdown xmlsec-crypto library */
+- xmlSecCryptoShutdown();
+-
+- /* Shutdown crypto library */
+- xmlSecCryptoAppShutdown();
+-
+- /* Shutdown xmlsec library */
+- xmlSecShutdown();
++ /* Do NOT call xmlSecCryptoShutdown(), xmlSecCryptoAppShutdown(),
++ * or xmlSecShutdown() here. These destroy process-global state
++ * (including OPENSSL_cleanup()) that other libraries rely on.
++ * The resources are cleaned up at process exit.
++ */
+
+ /* Shutdown libxslt/libxml */
+ xsltFreeSecurityPrefs(xsltSecPrefs);
diff --git a/openscap.spec b/openscap.spec
index 33656a3..35061ec 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -1,12 +1,14 @@
Name: openscap
Version: 1.4.4
-Release: 3%{?dist}
+Release: 4%{?dist}
Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPL-2.1-or-later
URL: http://www.open-scap.org/
VCS: git:https://github.com/OpenSCAP/openscap
Source0: https://github.com/OpenSCAP/openscap/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0: 2343.patch
+Patch1: 2360.patch
%global common_description %{expand:
OpenSCAP is a set of open source libraries providing an easier path
@@ -320,6 +322,9 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm
%{_mandir}/man8/oscap-podman.8*
%changelog
+* Wed Jun 24 2026 Matthew Burket <mburket@redhat.com> - 1:1.4.4-4
+- Update tests
+
* Thu Jun 11 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 1:1.4.4-3
- Use NSS for crypto
reply other threads:[~2026-06-26 15:46 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178248878215.1.10771072973263957789.rpms-openscap-b5b5a2e4541e@fedoraproject.org \
--to=mburket@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox