From 1e5f33d1f8d63fafcf21777afe8927153a8a3dcc Mon Sep 17 00:00:00 2001 From: Daniel Stone Date: Mon, 15 Mar 2021 20:41:30 +0000 Subject: [PATCH] CI: Try really hard to get updated Windows TLS certs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Windows doesn't actually distribute a full TLS CA certificate store, but pulls them in over time with Windows Update. Try to prime it by manually pulling the certificates and installing them. This bumps the Windows tag to force a rebuild. Acked-by: Michel Dänzer Part-of: (cherry picked from commit e6aacec9e101d6ce91513cb4cdf3361748d0f48e) Conflicts: .gitlab-ci.yml --- .gitlab-ci.yml | 2 +- .gitlab-ci/windows/mesa_deps.ps1 | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7ec646e7514..692ef930ccb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -445,7 +445,7 @@ armhf_test: .windows-docker-vs2019: variables: - WINDOWS_TAG: "2021-01-29" + WINDOWS_TAG: "2021-03-15-tls" WINDOWS_IMAGE: "$CI_REGISTRY_IMAGE/windows/x64_build:${WINDOWS_TAG}-${MESA_TEMPLATES_COMMIT}" WINDOWS_UPSTREAM_IMAGE: "$CI_REGISTRY/$FDO_UPSTREAM_REPO/windows/x64_build:${WINDOWS_TAG}-${MESA_TEMPLATES_COMMIT}" diff --git a/.gitlab-ci/windows/mesa_deps.ps1 b/.gitlab-ci/windows/mesa_deps.ps1 index 7bea163588f..79c9a061dea 100644 --- a/.gitlab-ci/windows/mesa_deps.ps1 +++ b/.gitlab-ci/windows/mesa_deps.ps1 @@ -1,3 +1,14 @@ +# Download new TLS certs from Windows Update +Get-Date +Write-Host "Updating TLS certificate store" +$certdir = (New-Item -ItemType Directory -Name "_tlscerts") +certutil -syncwithWU "$certdir" +Foreach ($file in (Get-ChildItem -Path "$certdir\*" -Include "*.crt")) { + Import-Certificate -FilePath $file -CertStoreLocation Cert:\LocalMachine\Root +} +Remove-Item -Recurse -Path $certdir + + Get-Date Write-Host "Installing Chocolatey" Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) @@ -41,7 +52,7 @@ if (!$?) { # we want more secure TLS 1.2 for most things, but it breaks SourceForge # downloads so must be done after Chocolatey use -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13; Get-Date Write-Host "Cloning LLVM master"