Bug#1057357: qtremoteobjects-everywhere-src: FTBFS in bullseye and bookworm because of expired SSL certificates, will also FTBFS in trixie/sid eventually

[Dmitry Shachnev]

Hi Santiago!

On Sun, Dec 03, 2023 at 11:23:07PM +0100, Santiago Vila wrote:
> [...]
>
> I'm attaching two patches to fix this.
>
> The first one modifies the script 
> tests/auto/external_IODevice/cert/generate.sh
> so that certificates expire in ten years.
>
> The second patch is merely the result of running the script.

Generally, we try to avoid including patches which have not been applied
upstream. And upstream has solved this problem by simply regenerating the
patches with the old configuration [1].

So I have forwarded your first patch to upstream [2] to give them chance
to review it. If it's approved/merged, I will submit your second patch to
regenerate the certificates again (I hope you don't mind).

If there is no response from upstream, I will go ahead and make uploads
with both patches in a week.

[1]: https://code.qt.io/cgit/qt/qtremoteobjects.git/commit/?id=ac3b93c886c04bc1
[2]: https://codereview.qt-project.org/c/qt/qtremoteobjects/+/522923

--
Dmitry Shachnev


signature.asc
Description: PGP signature

Bug#1057357: qtremoteobjects-everywhere-src: FTBFS in bullseye and bookworm because of expired SSL certificates, will also FTBFS in trixie/sid eventually

[Santiago Vila]

Package: src:qtremoteobjects-everywhere-src
Version: 5.15.2-2
Severity: serious
Tags: ftbfs patch bullseye bookworm upstream

Dear maintainer:

During an archive rebuild of all packages in bookworm,
this package failed to build:

make[4]: Entering directory 
'/<>/tests/auto/external_IODevice/tst_client'
/<>/tests/auto/external_IODevice/tst_client/target_wrapper.sh  
./tst_external_IODevice
* Start testing of tst_clientSSL *
Config: Using QtTest library 5.15.8, Qt 5.15.8 (x86_64-little_endian-lp64 
shared (dynamic) release build; by GCC 12.2.0), debian 12
PASS   : tst_clientSSL::initTestCase()
FAIL!  : tst_clientSSL::testRun() 'socketClient->waitForEncrypted(-1)' returned 
FALSE. ()
   Loc: [tst_client.cpp(77)]
QWARN  : tst_clientSSL::testRun() QProcess: Destroyed while process 
("/<>/tests/auto/external_IODevice/sslTestServer/sslTestServer") 
is still running.
PASS   : tst_clientSSL::cleanupTestCase()
Totals: 2 passed, 1 failed, 0 skipped, 0 blacklisted, 267ms
* Finished testing of tst_clientSSL *
make[4]: *** [Makefile:356: check] Error 1
make[4]: Leaving directory 
'/<>/tests/auto/external_IODevice/tst_client'
make[3]: *** [Makefile:431: sub-tst_client-check_ordered] Error 2
make[3]: Leaving directory '/<>/tests/auto/external_IODevice'
make[2]: *** [Makefile:1329: sub-external_IODevice-check] Error 2
make[2]: Leaving directory '/<>/tests/auto'
dh_auto_test: error: make -j1 check -Ctests/auto LD_LIBRARY_PATH=/<>/lib 
QML2_IMPORT_PATH=/<>/test_root/usr/lib/x86_64-linux-gnu/qt5/qml returned exit 
code 2
make[1]: *** [debian/rules:31: override_dh_auto_test-arch] Error 25
make[1]: Leaving directory '/<>'
make: *** [debian/rules:11: build-arch] Error 2
dpkg-buildpackage: error: debian/rules build-arch subprocess returned exit 
status 2

You can get a full build log from reproducible builds:

https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/qtremoteobjects-everywhere-src.html

This happens because the SSL certificates in the tests have expired.
This can be checked by doing this:

cd tests/auto/external_IODevice/cert
for a in *; do openssl x509 -noout -enddate -in $a; done

The output from bookworm contains this:

notAfter=May 30 11:33:55 2023 GMT
notAfter=Jun 10 11:33:55 2023 GMT
notAfter=May 30 11:33:55 2023 GMT

and the output for bullseye (where it also fails) contains this:

notAfter=Jul  2 09:32:51 2023 GMT
notAfter=Jul  2 09:32:50 2023 GMT
notAfter=Jul  2 09:32:51 2023 GMT

I'm attaching two patches to fix this.

The first one modifies the script tests/auto/external_IODevice/cert/generate.sh
so that certificates expire in ten years.

The second patch is merely the result of running the script.

Note: The patches are relative to the version in trixie/sid,
where this problem should be fixed first.

Thanks.commit 6699c65d1b7a891d16cab082e4e0c7d083568f34
Author: Santiago Vila 
Date:   Sun Dec 3 22:36:00 2023 +0100

generate.sh: Create SSL certificates with a more realistic expiration date.

Ten years will cover the lifetime of this release as stable, oldstable,
LTS, and some additional extra time (there is really no need for the tests
to fail just the day after LTS ends).

diff --git a/tests/auto/external_IODevice/cert/generate.sh b/tests/auto/external_IODevice/cert/generate.sh
index b79c862..2de1651 100644
--- a/tests/auto/external_IODevice/cert/generate.sh
+++ b/tests/auto/external_IODevice/cert/generate.sh
@@ -30,7 +30,7 @@
 # Generate the CA key
 openssl genrsa -out rootCA.key 2048
 # Generate the CA cert
-openssl req -x509 -key rootCA.key -out rootCA.pem -sha256 -nodes -subj "/CN=QtRO CA" -days 836
+openssl req -x509 -key rootCA.key -out rootCA.pem -sha256 -nodes -subj "/CN=QtRO CA" -days 3651
 
 # genFiles stem [extra args to signing]
 genFiles () {
@@ -42,7 +42,7 @@ genFiles () {
 openssl req -new -key $stem.key -out $stem.csr -subj "/CN=127.0.0.1"
 # Generate and sign the certificate
 openssl x509 -req -in $stem.csr -out $stem.crt \
- -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -days 825 -sha256 "$@"
+ -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -days 3650 -sha256 "$@"
 # Delete the signing request, no longer needed
 rm $stem.csr
 }
commit d9da85818f9bf50a72a371eb1453979432902065
Author: Santiago Vila 
Date:   Sun Dec 3 22:44:00 2023 +0100

Regenerate SSL certificates using the updated generate.sh script.

diff --git a/examples/remoteobjects/ssl/sslserver/cert/client.crt b/examples/remoteobjects/ssl/sslserver/cert/client.crt
index ec85263..4622c5d 100644
--- a/examples/remoteobjects/ssl/sslserver/cert/client.crt
+++ b/examples/remoteobjects/ssl/sslserver/cert/client.crt
@@ -1,17 +1,17 @@
 -BEGIN CERTIFICATE-
-MIICrTCCAZUCFHOQggvUf1o8c5i3yNyiGLNcLC4tMA0GCSqGSIb3DQEBCwUAMBIx
-EDAOBgNVBAMMB1F0Uk8gQ0EwHhcNMjMxMjAzMjAwMTQ5WhcNMjYwMzA3MjAwMTQ5
+MIICrTCCAZUCFHOQggvUf1o8c5i3yNyiGLNcLC4vMA0GCSqGSIb3DQEBCwUAMBIx