[rpms/openscap] rawhide: Add upstream PRs to fix tests

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/openscap] rawhide: Add upstream PRs to fix tests
@ 2026-06-26 15:46 Matthew Burket
  0 siblings, 0 replies; only message in thread
From: Matthew Burket @ 2026-06-26 15:46 UTC (permalink / raw)
  To: git-commits

A new commit has been pushed.

Repo   : rpms/openscap
Branch : rawhide
Commit : b5b5a2e4541e028ec243ad7a08c5b183d92340df
Author : Matthew Burket <mburket@redhat.com>
Date   : 2026-06-24T12:52:13-05:00
Stats  : +200/-1 in 3 file(s)
URL    : https://src.fedoraproject.org/rpms/openscap/c/b5b5a2e4541e028ec243ad7a08c5b183d92340df?branch=rawhide

Log:
Add upstream PRs to fix tests

---
diff --git a/2343.patch b/2343.patch
new file mode 100644
index 0000000..0ed0c8c
--- /dev/null
+++ b/2343.patch
@@ -0,0 +1,39 @@
+From 32fb2674256cabe003b2c391475b6e760035a205 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 22 Apr 2026 16:31:37 +0200
+Subject: [PATCH] Skip verifying RPM signatures in tests
+
+Our tests install some dummy test RPM pacakges. Starting from
+rpm version 6.0.0 rpm by default requires veryfing signatures.
+Our dummy packages aren't signed, which causes that they aren't
+installed and the tests fail.
+
+This commit should fix the broken CI on Rawhide.
+
+Addressing:
+package foobar-1.0-1.noarch does not verify: no signature
+
+The following tests FAILED:
+	228 - probes/rpm/rpminfo/test_probes_rpminfo_offline.sh (Failed)
+	230 - probes/rpm/rpmverify/test_probes_rpmverify_not_equals_operation_offline.sh (Failed)
+	233 - probes/rpm/rpmverifyfile/test_probes_rpmverifyfile_offline.sh (Failed)
+	235 - probes/rpm/rpmverifypackage/test_probes_rpmverifypackage_offline.sh (Failed)
+---
+ tests/probes/rpm/rpm_common.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/probes/rpm/rpm_common.sh b/tests/probes/rpm/rpm_common.sh
+index eb96f76d80..909ad6ad39 100755
+--- a/tests/probes/rpm/rpm_common.sh
++++ b/tests/probes/rpm/rpm_common.sh
+@@ -31,8 +31,8 @@ function rpm_prepare_offline {
+     cp /usr/lib/rpm/rpmrc ${RPMTEST}/usr/lib/rpm/rpmrc
+     cp /usr/lib/rpm/macros ${RPMTEST}/usr/lib/rpm/macros
+     rpm_build
+-    rpm -i ${RPMBUILD}/RPMS/noarch/foobar-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}"
+-    rpm -i ${RPMBUILD}/RPMS/noarch/foo-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}"
++    rpm -i --nosignature ${RPMBUILD}/RPMS/noarch/foobar-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}"
++    rpm -i --nosignature ${RPMBUILD}/RPMS/noarch/foo-1.0-1.noarch.rpm --badreloc --relocate="/etc=${RPMTEST}/etc/" --dbpath="${RPMTEST}${RPMDB_PATH}"
+ }
+ 
+ function rpm_cleanup_offline {

diff --git a/2360.patch b/2360.patch
new file mode 100644
index 0000000..7e05165
--- /dev/null
+++ b/2360.patch
@@ -0,0 +1,155 @@
+From 4e6cfa55b3e1bd2e851c7c9e1757f2a4bba28da5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Thu, 28 May 2026 09:30:27 +0200
+Subject: [PATCH] Fix segmenatation fault with xmlsec1 >= 1.3
+
+- Patch openscap src/source/signature.c to not call
+  `xmlSecCryptoAppShutdown()` after signature validation
+- xmlsec1 1.3 (PR #1133) added `OPENSSL_cleanup()` to this path to fix
+  valgrind warnings, but `OPENSSL_cleanup()` is irreversible and destroys
+  all process-global OpenSSL state
+- Any subsequent OpenSSL usage (e.g. librpm probe threads) segfaults
+- The patch initializes xmlsec/OpenSSL once per process via
+  `pthread_once` and removes the shutdown calls
+
+Patch authored by: @p5
+
+Fixes: https://github.com/OpenSCAP/openscap/issues/2358
+---
+ src/source/signature.c | 96 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 64 insertions(+), 32 deletions(-)
+
+diff --git a/src/source/signature.c b/src/source/signature.c
+index d3d888688a..c9733b4dc0 100644
+--- a/src/source/signature.c
++++ b/src/source/signature.c
+@@ -27,6 +27,9 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <assert.h>
++#ifdef OSCAP_THREAD_SAFE
++#include <pthread.h>
++#endif
+ 
+ #include <libxml/tree.h>
+ #include <libxml/xmlmemory.h>
+@@ -46,6 +49,47 @@
+ #include "oscap_source_priv.h"
+ #include "signature_priv.h"
+ 
++#ifdef OSCAP_THREAD_SAFE
++static pthread_once_t xmlsec_init_once = PTHREAD_ONCE_INIT;
++#else
++static bool xmlsec_init_done = false;
++#endif
++static int xmlsec_init_result = -1;
++
++static void _xmlsec_init(void)
++{
++	if (xmlSecInit() < 0) {
++		oscap_seterr(OSCAP_EFAMILY_XML, "Xmlsec initialization failed.");
++		return;
++	}
++	if (xmlSecCheckVersion() != 1) {
++		oscap_seterr(OSCAP_EFAMILY_XML, "Loaded xmlsec library version is not compatible.");
++		return;
++	}
++	if (xmlSecCryptoAppInit(NULL) < 0) {
++		oscap_seterr(OSCAP_EFAMILY_XML, "Crypto initialization failed.");
++		return;
++	}
++	if (xmlSecCryptoInit() < 0) {
++		oscap_seterr(OSCAP_EFAMILY_XML, "Xmlsec-crypto initialization failed.");
++		return;
++	}
++	xmlsec_init_result = 0;
++}
++
++static int _xmlsec_ensure_init(void)
++{
++#ifdef OSCAP_THREAD_SAFE
++	pthread_once(&xmlsec_init_once, _xmlsec_init);
++#else
++	if (!xmlsec_init_done) {
++		xmlsec_init_done = true;
++		_xmlsec_init();
++	}
++#endif
++	return xmlsec_init_result;
++}
++
+ struct oscap_signature_ctx {
+ 	const char *pubkey_pem; // path to the public key file in PEM format
+ 	const char *pubkey_cert_pem; // path to the public key certificate file in PEM format
+@@ -131,28 +175,20 @@ static int _oscap_signature_validate_doc(xmlDocPtr doc, oscap_document_type_t sc
+ 	xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ 	xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+ 
+-	/* Init xmlsec library */
+-	if (xmlSecInit() < 0) {
+-		oscap_seterr(OSCAP_EFAMILY_XML, "Xmlsec initialization failed.");
+-		return(-1);
+-	}
+-
+-	/* Check loaded library version */
+-	if (xmlSecCheckVersion() != 1) {
+-		oscap_seterr(OSCAP_EFAMILY_XML, "Loaded xmlsec library version is not compatible.");
+-		return(-1);
+-	}
+-
+-	/* Init crypto library */
+-	if (xmlSecCryptoAppInit(NULL) < 0) {
+-		oscap_seterr(OSCAP_EFAMILY_XML, "Crypto initialization failed.");
+-		return(-1);
+-	}
+-
+-	/* Init xmlsec-crypto library */
+-	if (xmlSecCryptoInit() < 0) {
+-		oscap_seterr(OSCAP_EFAMILY_XML, "Xmlsec-crypto initialization failed.");
+-		return(-1);
++	/* Initialize xmlsec and crypto libraries once per process.
++	 *
++	 * xmlSecCryptoAppShutdown() calls OPENSSL_cleanup() which is
++	 * irreversible and destroys all process-global OpenSSL state
++	 * including threading locks. Other libraries in the same process
++	 * (e.g. librpm) continue to use OpenSSL after signature validation
++	 * completes. Calling OPENSSL_cleanup() while they are active causes
++	 * a segfault in CRYPTO_THREAD_write_lock.
++	 *
++	 * The xmlsec/OpenSSL libraries are designed to be initialized once
++	 * and remain active for the process lifetime. Treat them as such.
++	 */
++	if (_xmlsec_ensure_init() < 0) {
++		goto cleanup;
+ 	}
+ 
+ 	/* find Signature node */
+@@ -261,22 +297,18 @@ static int _oscap_signature_validate_doc(xmlDocPtr doc, oscap_document_type_t sc
+ 	}
+ 
+ cleanup:
+-	/* cleanup */
++	/* cleanup per-validation resources only */
+ 	if (dsigCtx != NULL)
+ 		xmlSecDSigCtxDestroy(dsigCtx);
+ 
+-	/* destroy keys manager */
+ 	if (mngr != NULL)
+ 		xmlSecKeysMngrDestroy(mngr);
+ 
+-	/* Shutdown xmlsec-crypto library */
+-	xmlSecCryptoShutdown();
+-
+-	/* Shutdown crypto library */
+-	xmlSecCryptoAppShutdown();
+-
+-	/* Shutdown xmlsec library */
+-	xmlSecShutdown();
++	/* Do NOT call xmlSecCryptoShutdown(), xmlSecCryptoAppShutdown(),
++	 * or xmlSecShutdown() here. These destroy process-global state
++	 * (including OPENSSL_cleanup()) that other libraries rely on.
++	 * The resources are cleaned up at process exit.
++	 */
+ 
+ 	/* Shutdown libxslt/libxml */
+ 	xsltFreeSecurityPrefs(xsltSecPrefs);

diff --git a/openscap.spec b/openscap.spec
index 33656a3..35061ec 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -1,12 +1,14 @@
 Name:           openscap
 Version:        1.4.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPL-2.1-or-later
 URL:            http://www.open-scap.org/
 VCS:            git:https://github.com/OpenSCAP/openscap
 Source0:        https://github.com/OpenSCAP/openscap/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0:         2343.patch
+Patch1:         2360.patch
 
 %global         common_description %{expand:
 OpenSCAP is a set of open source libraries providing an easier path
@@ -320,6 +322,9 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm
 %{_mandir}/man8/oscap-podman.8*
 
 %changelog
+* Wed Jun 24 2026 Matthew Burket <mburket@redhat.com> - 1:1.4.4-4
+- Update tests
+
 * Thu Jun 11 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 1:1.4.4-3
 - Use NSS for crypto
 

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-26 15:46 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-26 15:46 [rpms/openscap] rawhide: Add upstream PRs to fix tests Matthew Burket

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox