azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

add SymCrypt and SymCrypt-OpenSSL to images with openssl

Open tobiasb-ms opened this issue 1 year ago • 0 comments

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • [x] The toolchain has been rebuilt successfully (or no changes were made to it)
  • [x] The toolchain/worker package manifests are up-to-date
  • [x] Any updated packages successfully build (or no packages were changed)
  • [x] Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • [x] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • [x] All package sources are available
  • [x] cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • [x] LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • [x] All source files have up-to-date hashes in the *.signatures.json files
  • [ ] sudo make go-tidy-all and sudo make go-test-coverage pass
  • [x] Documentation has been updated to match any changes to the build system
  • [x] Ready to merge
Summary

Add SymCrypt and SymCrypt-OpenSSL as Recommends packages for openssl and add them to images with openssl.

Note that an initial version of this commit with incorrect capitalization on SymCrypt-OpenSSL was merged in #7977 and then reverted in #8001.

In AZL 3 openssl relies on SymCrypt for FIPS mode. As such, we want SymCrypt and the related SymCrypt-OpenSSL packages installed where openssl is installed. To accomplish this, we do two things:

  1. Add these packages as Recommends in the openssl spec. This means that if the package manager can find these packages, it will install them when openssl is installed, but it won't refuse to install openssl if it can't find them.
  2. Add these packages to any image that has openssl.

One may wonder why we didn't simply add these packages as Requires to openssl. The issue here is that SymCrypt has a BuildRequires on python, which in turn requires openssl, so there's a circular dependency.

Change Log
  • Add SymCrypt and SymCrypt-OpenSSL as Recommends in the openssl spec file.
  • Add SymCrypt and SymCrypt-OpenSSL to any image that already has openssl
Does this affect the toolchain?

YES

Test Methodology
  • Tested locally to make sure the relevant Recommends and Requires gets into the built rpms.
  • Build: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=510542&view=results

tobiasb-ms avatar Feb 21 '24 22:02 tobiasb-ms