Update .github/workflows/test.yml #784
Conversation
This include the following changes: - Use Bundler cache provided by ruby/actions. "bundle install" is no longer necessary. Rake must be invoked through "bundle exec". - Use OpenSSL source from GitHub openssl/openssl tags. - Cache compiled OpenSSL/LibreSSL when possible. - Change no-legacy tests to use OpenSSL 3.3 to allow caching. - Add timeout for "rake test_fips". - Misc formatting cleanup.
|
Thanks for the PR! Let me review this PR later. |
There was a problem hiding this comment.
I reviewed!
1. 9bcc9f4 Update .github/workflows/test.yml
I commented some things. I verified how to download the OpenSSL source from GitHub tag by my forked repository disabling the cache. I like the improvement downloading the OpenSSL source from the GitHub tag.
https://github.com/junaruga/ruby-openssl/actions/runs/10245021759/job/28339172006
2. 3982fe7 .github/workflows/test.yml: reenable truffleruby tests
It looks good to me.
3. f8a98e3 test/openssl/test_pkey_dsa.rb: skip all tests in FIPS mode
For the commit message, "It appears that the next version of OpenSSL running in the FIPS mode will not support DSA key generation and signature generation.", can you write the specific OpenSSL version instead of the "next version" with the reference document link? It's useful to see the commit message in the future.
OpenSSL running in the FIPS mode will stop supporting DSA key generation and signature generation due to a FIPS 140-3 requirement. Although it appears that FIPS 186-5 still allows signature verification in some cases, there would be little point in writing such a specific test case. DSA will still be tested if OpenSSL is not running in the FIPS mode. test_generate_on_non_fips is merged to test_generate again.
rhenium
force-pushed
the
ky/github-actions-cleanup
branch
from
f8a98e3
to
3651884
Compare
I avoided mentioning a version number because it seemed like to be a FIPS 140 requirement that will soon (or has already?) come into effect, so every OpenSSL downstream that intends to get its own certification will have to backport the change. This is the commit in master that disables DSA signing: openssl/openssl@85caa41 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements mentions the transition from FIPS 186-4 to FIPS 186-5 which bans DSA signing. (Another reason is that I'm unsure about OpenSSL's release cycle - I think it will likely be 3.4, but OpenSSL 3.1 was forked from 3.0 branch instead of master, to everyone's surprise :P) Anyway, I reworded the commit message to emphasize it's due to FIPS 140-3 requirement than a feature in OpenSSL. |
Thanks for sharing the reference document. I can see the "C.K Transition from FIPS 186-4 to FIPS 186-5 and SP 800-186" 3 times on the above page. The FIPS 186-5 and SP 800-186 document mentions The Digital Signature Algorithm (DSA), which was specified in prior versions of FIPS 186, is retained only for the purposes of verifying existing signatures.. |
This include the following changes:
And:
This reverts the following commits:
2023-02-16)
The logs are expired and I was unable to see what exactly was failing,
but these combinations seem to work as expected now.