fix(nbd): regenerate TLS test certificates at build time#17142
Open
WithEnoughCoffee wants to merge 1 commit into
Open
fix(nbd): regenerate TLS test certificates at build time#17142WithEnoughCoffee wants to merge 1 commit into
WithEnoughCoffee wants to merge 1 commit into
Conversation
The nbd 3.25 test suite ships pre-built TLS certificates that were generated on 2016-04-19 with a 10-year expiration (expiration_days=3650), meaning they expired on 2026-04-17. This causes the tls and tlshuge tests to fail with 'Error in the certificate' from GnuTLS. Rather than marking the tests as expected failures (the previous workaround) or backporting static certs from nbd 3.27.0 (which will expire again in 2033), regenerate all test certificates fresh at build time using certtool and the .info template files already present in the source tree. This ensures the certs are always valid regardless of when the package is built. Changes: - Add BuildRequires: gnutls-utils (provides certtool) - Regenerate CA, server, client, and selfsigned certs in %check - Remove XFAIL_TESTS="tls tlshuge" workaround - Remove spec-search-replace overlay from nbd.comp.toml Ref: tests/run/certs/README.md (upstream cert generation procedure) Ref: upstream fix in nbd 3.27.0 (commit 58b356b) Precedent: rubygem-excon, libserf (Fedora specs that regenerate test certs)
WithEnoughCoffee
requested review from
christopherco,
ddstreetmicrosoft and
reubeno
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Regenerates nbd’s TLS test certificates during %check to avoid failures caused by expired prebuilt certs, and removes the previous XFAIL workaround/overlay.
Changes:
- Add
BuildRequires: gnutls-utilsto ensurecerttoolis available during builds. - Regenerate CA/server/client/self-signed test certs in
%checkand runmake checkwithoutXFAIL_TESTS. - Remove the
spec-search-replaceoverlay that injected the XFAIL behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| specs/n/nbd/nbd.spec | Adds cert regeneration in %check, removes XFAILs, and adds gnutls-utils build requirement. |
| base/comps/nbd/nbd.comp.toml | Removes overlay that previously marked TLS tests as expected failures. |
Comment on lines
+65
to
+80
| pushd tests/run/certs | ||
| certtool --generate-privkey --outfile ca-key.pem 2>/dev/null | ||
| certtool --generate-self-signed --load-privkey ca-key.pem \ | ||
| --template ca.info --outfile ca-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile server-key.pem 2>/dev/null | ||
| certtool --generate-certificate --load-ca-certificate ca-cert.pem \ | ||
| --load-ca-privkey ca-key.pem --load-privkey server-key.pem \ | ||
| --template server.info --outfile server-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile client-key.pem 2>/dev/null | ||
| certtool --generate-certificate --load-ca-certificate ca-cert.pem \ | ||
| --load-ca-privkey ca-key.pem --load-privkey client-key.pem \ | ||
| --template client.info --outfile client-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile selfsigned-key.pem 2>/dev/null | ||
| certtool --generate-self-signed --load-privkey selfsigned-key.pem \ | ||
| --template ca.info --outfile selfsigned-cert.pem 2>/dev/null | ||
| popd |
Comment on lines
+65
to
+80
| pushd tests/run/certs | ||
| certtool --generate-privkey --outfile ca-key.pem 2>/dev/null | ||
| certtool --generate-self-signed --load-privkey ca-key.pem \ | ||
| --template ca.info --outfile ca-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile server-key.pem 2>/dev/null | ||
| certtool --generate-certificate --load-ca-certificate ca-cert.pem \ | ||
| --load-ca-privkey ca-key.pem --load-privkey server-key.pem \ | ||
| --template server.info --outfile server-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile client-key.pem 2>/dev/null | ||
| certtool --generate-certificate --load-ca-certificate ca-cert.pem \ | ||
| --load-ca-privkey ca-key.pem --load-privkey client-key.pem \ | ||
| --template client.info --outfile client-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile selfsigned-key.pem 2>/dev/null | ||
| certtool --generate-self-signed --load-privkey selfsigned-key.pem \ | ||
| --template ca.info --outfile selfsigned-cert.pem 2>/dev/null | ||
| popd |
| --template client.info --outfile client-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile selfsigned-key.pem 2>/dev/null | ||
| certtool --generate-self-signed --load-privkey selfsigned-key.pem \ | ||
| --template ca.info --outfile selfsigned-cert.pem 2>/dev/null |
Comment on lines
+66
to
+79
| certtool --generate-privkey --outfile ca-key.pem 2>/dev/null | ||
| certtool --generate-self-signed --load-privkey ca-key.pem \ | ||
| --template ca.info --outfile ca-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile server-key.pem 2>/dev/null | ||
| certtool --generate-certificate --load-ca-certificate ca-cert.pem \ | ||
| --load-ca-privkey ca-key.pem --load-privkey server-key.pem \ | ||
| --template server.info --outfile server-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile client-key.pem 2>/dev/null | ||
| certtool --generate-certificate --load-ca-certificate ca-cert.pem \ | ||
| --load-ca-privkey ca-key.pem --load-privkey client-key.pem \ | ||
| --template client.info --outfile client-cert.pem 2>/dev/null | ||
| certtool --generate-privkey --outfile selfsigned-key.pem 2>/dev/null | ||
| certtool --generate-self-signed --load-privkey selfsigned-key.pem \ | ||
| --template ca.info --outfile selfsigned-cert.pem 2>/dev/null |
🔒❌ Lock files are out of dateFIX: — run this and commit the result: azldev component update -p nbdOr download the fix patch and apply it: gh run download 25700009731 -R microsoft/azurelinux -n locks-patch
git apply locks.patchChanged components (1)
|
📄❌ Rendered specs are out of dateFIX: — run this and commit the result: azldev component render nbdOr download the fix patch and apply it: gh run download 25700009731 -R microsoft/azurelinux -n rendered-specs-patch
git apply rendered-specs.patch
Content diffs`specs/n/nbd/nbd.spec`--- committed/specs/n/nbd/nbd.spec
+++ rendered/specs/n/nbd/nbd.spec
@@ -2,7 +2,7 @@
## (rpmautospec version 0.8.3)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
- release_number = 8;
+ release_number = 9;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -26,7 +26,6 @@
BuildRequires: gcc
BuildRequires: glib2-devel >= 2.26
BuildRequires: gnutls-devel
-BuildRequires: gnutls-utils
BuildRequires: zlib-devel
BuildRequires: libnl3-devel
BuildRequires: bison
@@ -59,25 +58,6 @@
install -pDm644 %{S:2} %{buildroot}%{_sysconfdir}/sysconfig/nbd-server
%check
-# Regenerate TLS test certificates at build time so they are always valid.
-# The shipped certs (generated 2016) expired on 2026-04-17.
-# See tests/run/certs/README.md for the upstream procedure.
-pushd tests/run/certs
-certtool --generate-privkey --outfile ca-key.pem 2>/dev/null
-certtool --generate-self-signed --load-privkey ca-key.pem \
- --template ca.info --outfile ca-cert.pem 2>/dev/null
-certtool --generate-privkey --outfile server-key.pem 2>/dev/null
-certtool --generate-certificate --load-ca-certificate ca-cert.pem \
- --load-ca-privkey ca-key.pem --load-privkey server-key.pem \
- --template server.info --outfile server-cert.pem 2>/dev/null
-certtool --generate-privkey --outfile client-key.pem 2>/dev/null
-certtool --generate-certificate --load-ca-certificate ca-cert.pem \
- --load-ca-privkey ca-key.pem --load-privkey client-key.pem \
- --template client.info --outfile client-cert.pem 2>/dev/null
-certtool --generate-privkey --outfile selfsigned-key.pem 2>/dev/null
-certtool --generate-self-signed --load-privkey selfsigned-key.pem \
- --template ca.info --outfile selfsigned-cert.pem 2>/dev/null
-popd
# wait longer for nbd-server to fully start,
# one second may not be enough on Fedora building infra
DELAY=10 make check
@@ -107,6 +87,9 @@
%changelog
## START: Generated by rpmautospec
+* Mon May 11 2026 azldev <azldev@local> - 3.25-9
+- Local changes (uncommitted)
+
* Thu Apr 30 2026 Daniel McIlvaney <[email protected]> - 3.25-8
- feat: introduce deterministic commit resolution via Azure Linux lock file
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The nbd 3.25 test suite ships pre-built TLS certificates that were generated on 2016-04-19 with a 10-year expiration
(expiration_days=3650), meaning they expired on 2026-04-17. This causes the tls and tlshuge tests to fail with 'Error in the certificate' from GnuTLS.
Rather than marking the tests as expected failures (the previous workaround) or backporting static certs from nbd 3.27.0 (which will expire again in 2033), regenerate all test certificates fresh at build time using certtool and the .info template files already present in the source tree. This ensures the certs are always valid regardless of when the package is built.
Changes:
Ref: tests/run/certs/README.md (upstream cert generation procedure) Ref: upstream fix in nbd 3.27.0 (commit 58b356b)
Precedent: rubygem-excon, libserf (Fedora specs that regenerate test certs)
Testing:
PASS: tls
PASS: tlswrongcert
PASS: tlshuge
All 19 tests passed — including tls, tlswrongcert, and tlshuge.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology