From ce5688c5f6810392ac3223829eb7365f5a7404d8 Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Fri, 27 Oct 2023 13:20:39 +0200 Subject: [PATCH 1/6] ci: Update Go matrix Signed-off-by: Albin Kerouanton --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 53308dc7..e13be28b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,7 +13,7 @@ jobs: timeout-minutes: 10 strategy: matrix: - go: ["1.13.x", "1.15.x", "1.16.x"] + go: ["1.13.x", "1.20.x", "1.21.x"] platform: [ubuntu-20.04] runs-on: ${{ matrix.platform }} steps: @@ -35,7 +35,7 @@ jobs: timeout-minutes: 10 strategy: matrix: - go: ["1.13.x", "1.15.x", "1.16.x"] + go: ["1.13.x", "1.20.x", "1.21.x"] platform: [windows-latest, macos-latest] runs-on: ${{ matrix.platform }} steps: From 8c00429b656823b99a06b882a0d15afcafdd4441 Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Fri, 27 Oct 2023 15:51:55 +0200 Subject: [PATCH 2/6] tests: Replace embedded Let's Encrypt cert with Amazon Root CA 1 The embedded Let's Encrypt cert expired on Sep 29 19:21:40 2021 GMT. The Amazon Root CA 1 expires on Jan 17 00:00:00 2038 GMT. Signed-off-by: Albin Kerouanton --- tlsconfig/config_test.go | 50 ++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 28 deletions(-) diff --git a/tlsconfig/config_test.go b/tlsconfig/config_test.go index eaf6a10e..f7c42351 100644 --- a/tlsconfig/config_test.go +++ b/tlsconfig/config_test.go @@ -12,37 +12,31 @@ import ( "testing" ) -// This is the currently active Let’s Encrypt R3 (RSA 2048, O = Let's Encrypt, CN = R3) -// cross-signed CA Intermediate cert, downloaded from: https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem -// It expires Sep 29 19:21:40 2021 GMT -// download updated versions from https://letsencrypt.org/certificates/ +// This is the currently active Amazon Root CA 1 (CN=Amazon Root CA 1,O=Amazon,C=US), +// downloaded from: https://www.amazontrust.com/repository/AmazonRootCA1.pem +// It's valid since May 26 00:00:00 2015 GMT and expires on Jan 17 00:00:00 2038 GMT. +// Download updated versions from https://www.amazontrust.com/repository/ const ( systemRootTrustedCert = ` -----BEGIN CERTIFICATE----- -MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow -MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT -AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs -jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp -Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB -U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7 -gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel -/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R -oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E -BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p -ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE -p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE -AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu -Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0 -LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf -r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH -ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8 -S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL -qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p -O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw -UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== +MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj +ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM +9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw +IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 +VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L +93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm +jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA +A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI +U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs +N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv +o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU +5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy +rqXRfboQnoZsG4q5WTP468SQvvG5 -----END CERTIFICATE----- ` rsaPrivateKeyFile = "fixtures/key.pem" From d5807de501e8618bbfeacec1c7a5955df229c0f7 Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Sat, 28 Oct 2023 13:06:01 +0200 Subject: [PATCH 3/6] tests: Skip tests failing on darwin TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools are failing on darwin with the same error message as on Windows: > Unable to verify certificate 1: x509: certificate signed by unknown authority The `(*Certificate).Verify()` method from `crypto/x509` special-case windows, darwin and ios GOOS to use a OS-specific verification process. This process seems to consider root CAs as invalid for some unknown reasons. This should be further investigated. Signed-off-by: Albin Kerouanton --- tlsconfig/config_test.go | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/tlsconfig/config_test.go b/tlsconfig/config_test.go index f7c42351..63dbacc5 100644 --- a/tlsconfig/config_test.go +++ b/tlsconfig/config_test.go @@ -199,10 +199,9 @@ func TestConfigServerTLSClientCASet(t *testing.T) { // Exclusive root pools determines whether the CA pool will be a union of the system // certificate pool and custom certs, or an exclusive or of the custom certs and system pool func TestConfigServerExclusiveRootPools(t *testing.T) { - if runtime.GOOS == "windows" { - // FIXME TestConfigServerExclusiveRootPools is failing on windows: - // config_test.go:244: Unable to verify certificate 1: x509: certificate signed by unknown authority - t.Skip("FIXME: failing on Windows") + if runtime.GOOS == "windows" || runtime.GOOS == "darwin" { + // FIXME: see https://github.com/docker/go-connections/issues/105. + t.Skip("FIXME: failing on Windows and darwin") } key, cert := getCertAndKey() ca := getMultiCert() @@ -564,10 +563,9 @@ func TestConfigClientTLSNotSetWithInvalidPassphrase(t *testing.T) { // Exclusive root pools determines whether the CA pool will be a union of the system // certificate pool and custom certs, or an exclusive or of the custom certs and system pool func TestConfigClientExclusiveRootPools(t *testing.T) { - if runtime.GOOS == "windows" { - // FIXME TestConfigClientExclusiveRootPools is failing on windows: - // config_test.go:597: Unable to verify certificate 1: x509: certificate signed by unknown authority - t.Skip("FIXME: failing on Windows") + if runtime.GOOS == "windows" || runtime.GOOS == "darwin" { + // FIXME: see https://github.com/docker/go-connections/issues/105. + t.Skip("FIXME: failing on Windows and darwin") } ca := getMultiCert() From d50e6dd4e46b8154b4f32ccaa8fe2c2d1faa35a8 Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Sat, 28 Oct 2023 13:18:33 +0200 Subject: [PATCH 4/6] ci: Disable fail-fast strategy Signed-off-by: Albin Kerouanton --- .github/workflows/test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e13be28b..658a3ea3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,6 +12,7 @@ jobs: name: Test ${{ matrix.platform }} (${{ matrix.go }}) timeout-minutes: 10 strategy: + fail-fast: false matrix: go: ["1.13.x", "1.20.x", "1.21.x"] platform: [ubuntu-20.04] @@ -34,6 +35,7 @@ jobs: name: Test ${{ matrix.platform }} (${{ matrix.go }}) timeout-minutes: 10 strategy: + fail-fast: false matrix: go: ["1.13.x", "1.20.x", "1.21.x"] platform: [windows-latest, macos-latest] @@ -54,6 +56,7 @@ jobs: name: Lint ${{ matrix.platform }} timeout-minutes: 10 strategy: + fail-fast: false matrix: platform: [ubuntu-20.04, windows-latest, macos-latest] runs-on: ${{ matrix.platform }} From a85ee0f7c5887635addec2829b3b47486a6c043c Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Sat, 28 Oct 2023 13:23:29 +0200 Subject: [PATCH 5/6] ci: Bump golangci-lint version Signed-off-by: Albin Kerouanton --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 658a3ea3..e752b5c1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -65,4 +65,4 @@ jobs: - uses: golangci/golangci-lint-action@v2 with: # must be specified without patch version - version: v1.41 + version: v1.55 From fdf5cfb111f74e0247a0c87cc9ea1537e881a8ff Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Sat, 28 Oct 2023 13:43:35 +0200 Subject: [PATCH 6/6] ci: Increase golangci-lint timeout Windows lint job fails with the following error messages: > level=error msg="Running error: context loading failed: failed to load packages: timed out to load packages: context deadline exceeded" > level=error msg="Timeout exceeded: try increasing it by passing --timeout option" Signed-off-by: Albin Kerouanton --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e752b5c1..ea87c0d0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -66,3 +66,4 @@ jobs: with: # must be specified without patch version version: v1.55 + args: --timeout=5m