net48 and net6 #422
net48 and net6 #422
Conversation
| @@ -186,7 +186,7 @@ static bool HasPrivateKey(X509Certificate2 certificate2) | |||
| { | |||
| try | |||
| { | |||
| return certificate2.HasPrivateKey && certificate2.PrivateKey != null; | |||
| return certificate2.GetRSAPrivateKey() != null; | |||
There was a problem hiding this comment.
Changed due to the PrivateKey property supposedly not working in .net framework with EphemeralKeySet.
Keys loaded in this manner are almost always loaded via Windows CNG. Therefore, callers must access the private key by calling extension methods, such as cert.GetRSAPrivateKey(). The X509Certificate2.PrivateKey property does not function.
I'm assuming GetECDsaPrivateKey doesn't come into play here. There's only reference to RSA.
There was a problem hiding this comment.
Also TODO: Add a comment that this may be reverted to .PrivateKey once .NET framework is dropped entirely. Will use this change to trigger the final build before merge.
There was a problem hiding this comment.
Does this TODO need action?
There was a problem hiding this comment.
Yeah that was confusing. Looking at it again, no action needed.
| @@ -103,7 +103,7 @@ static X509Certificate2 FromBase64String(string? thumbprint, string certificateS | |||
| } | |||
| } | |||
|
|
|||
| #if NET472_OR_GREATER || NETCOREAPP || NETSTANDARD | |||
| #if NETCOREAPP || NETSTANDARD | |||
There was a problem hiding this comment.
This used to be bypassed as we were targeting net452, but breaks net48. With EphemeralKeySet the cert loses the private key once added to the key store. As per the doc
Since the keys are not persisted to disk, certificates loaded with this flag are not good candidates to add to an X509Store.
There was a problem hiding this comment.
This essentially allows us to keep the same behaviour as net452
|
Github still configured to wait for a status from the "real" tentacle project in teamcity. Thinking once the PR is ready, we update the main build first to target net48, then get a green build and merge. Here's a green build on the cloned project - https://build.octopushq.com/buildConfiguration/TeamFireAndMotion_OctopusTentacleNet48_SensibleDefaultsChainFullChain/5907122?hideProblemsFromDependencies=false&hideTestsFromDependencies=false&expandBuildChangesSection=true&expandPull+Request+Details=true |
| <PackageReference Include="FluentAssertions" Version="6.7.0" /> | ||
| <PackageReference Include="Assent" Version="1.8.2" /> | ||
| <PackageReference Include="NUnit" Version="3.13.3" /> | ||
| <PackageReference Include="NUnit3TestAdapter" Version="4.2.1" /> |
There was a problem hiding this comment.
Taking the opportunity to update some test packages. No non-test dependencies were changed.
veochen-octopus
force-pushed
the
veo/net48
branch
from
08ba578 to
5a7098f
Compare
|
What kind of customer comms are we doing? Does that need to happen before this is merged? |
@tothegills I think @octokhor is handling the comms side of things. Given the change of plan, I'll piggyback the net6 changes onto this PR as well so we end up with only 1 major/minor version bump. Moving PR back to draft for now. |
veochen-octopus
force-pushed
the
veo/net48
branch
2 times, most recently
from
2d1a73f to
1d1767c
Compare
| @@ -70,7 +70,7 @@ class InMemoryCryptoKeyNixSource : ICryptoKeyNixSource | |||
| readonly byte[] iv; | |||
| public InMemoryCryptoKeyNixSource() | |||
| { | |||
| var d = new RijndaelManaged(); | |||
| var d = Aes.Create(); | |||
There was a problem hiding this comment.
RijndaelManaged obsolete. All references changed to Aes.Create
| @@ -97,7 +97,7 @@ X509Certificate2 Generate(string fullName, bool exportable) | |||
| using (var ms = new MemoryStream()) | |||
| { | |||
| store.Save(ms, exportpw.ToCharArray(), random); | |||
| var platformSpecificX509KeyStorageFlags = PlatformDetection.IsRunningOnMac ? X509KeyStorageFlags.DefaultKeySet : X509KeyStorageFlags.EphemeralKeySet; | |||
| var platformSpecificX509KeyStorageFlags = PlatformDetection.IsRunningOnNix ? X509KeyStorageFlags.EphemeralKeySet : X509KeyStorageFlags.DefaultKeySet; | |||
There was a problem hiding this comment.
Don't think EphemeralKeySet works with Windows at all. See other change.
| BlockSize = 128, | ||
| Key = key | ||
| }; | ||
| var provider = Aes.Create(); |
There was a problem hiding this comment.
Another obsolete. Updated to current standard.
|
|
||
| static bool HasFlagEphemeralKeySet(X509KeyStorageFlags flags) | ||
| { | ||
| return flags.HasFlag(X509KeyStorageFlags.EphemeralKeySet); | ||
| return !PlatformDetection.IsRunningOnWindows && flags.HasFlag(X509KeyStorageFlags.EphemeralKeySet); |
There was a problem hiding this comment.
This is based on the assumption that EphemeralKeySet doesn't work with Windows. See the issue mentioned in the comment - dotnet/runtime#23749. Halibut uses SslStream which in the current version of Windows is not compatible with EphemeralKeySet causing authentication to fail, on Windows tentacles only. All signs are suggesting this only works with Linux.
|
Not sure about the best way to update the teamcity build. There are quite a few changes to be made and it's hard to keep track of them. Thinking probably the easiest is to replace the old tentacle project with the new one and make sure everything has the correct names and ids, get a green build and merge. |
|
|
||
| WORKDIR /tmp | ||
| RUN msiexec /i Octopus.Tentacle.%BUILD_NUMBER%-x64.msi /qn /l*v Tentacle-Installation.log | ||
| COPY _artifacts/tentacle "${INSTALLATION_FOLDER}" |
There was a problem hiding this comment.
This is the only way I've found that works with COPY and Windows paths that contain spaces, i.e. with an ARG. Open to suggestions.
|
It'd be worth creating an Octopus Server branch, updating the Tentacle version and running the Octopus Server test suite. |
|
|
||
| <PropertyRef Id="NETFRAMEWORK45" /> | ||
| <PropertyRef Id="NETFRAMEWORK40FULLINSTALLROOTDIR" /> | ||
| <Condition Message="This application requires Microsoft .NET Framework 4.5 Runtime in order to run. Please install the .NET Framework and then run this installer again."><![CDATA[Installed OR NETFRAMEWORK45]]></Condition> |
There was a problem hiding this comment.
I don't think this message about .NET framework 4.5 is still true
There was a problem hiding this comment.
🤔 I think this was auto generated. Let me see where it got this information from.
There was a problem hiding this comment.
Can I please get some help on this? Don't want to dump too much time into learning Wix (can do that later). But from what I can see from the manual, there's no good replacement for NETFRAMEWORK45 for net48. This is wix v3. Not sure about v4.
Also found a snippet in their source code that has both similar and very different settings. A little confused...
| @@ -91,8 +91,9 @@ public void ComplexTypeGetsHandledCorrectly() | |||
| var store = new InMemoryKeyValueStore(mapper); | |||
|
|
|||
| var settings = store.TryGet<TestConfig[]>("Test"); | |||
| settings.value.Single().SettingA.Should().Be("some value", "strings should get parsed"); | |||
| settings.value.Single().SomethingElse.Should().Be(12, "ints should get parsed"); | |||
| settings.value.Should().NotBeNull(); | |||
There was a problem hiding this comment.
The null check is an important assertion
| @@ -38,34 +38,40 @@ public string CheckServerCommunicationsIsOpen(Uri serverAddress, IWebProxy? prox | |||
|
|
|||
| Retry("Checking that server communications are open", () => | |||
| { | |||
| #pragma warning disable DE0003 | |||
| // TODO see if can deal with SYSLIB0014 | |||
There was a problem hiding this comment.
Is this TODO still to do? What are the plans for doing it?
There was a problem hiding this comment.
Removing this TODO. Fix would be to properly inject an HttpClient (or the factory) and go async from there. Treating it as out of scope for now, as it might not be a local change. But important to address later on. Ideally make tentacle more async overall.
| @@ -186,7 +186,7 @@ static bool HasPrivateKey(X509Certificate2 certificate2) | |||
| { | |||
| try | |||
| { | |||
| return certificate2.HasPrivateKey && certificate2.PrivateKey != null; | |||
| return certificate2.GetRSAPrivateKey() != null; | |||
There was a problem hiding this comment.
Does this TODO need action?
| @@ -9,13 +9,13 @@ public static class AssemblyExtensions | |||
| public static string GetFileVersion(this Assembly assembly) | |||
| { | |||
| var fileVersionInfo = FileVersionInfo.GetVersionInfo(assembly.FullLocalPath()); | |||
| return fileVersionInfo.FileVersion; | |||
| return fileVersionInfo.FileVersion ?? ""; | |||
There was a problem hiding this comment.
Is "" a good backup value?
There was a problem hiding this comment.
Good question. We could return "0.0.0". It would be more friendly to the semantic version parser. But it would also hide the fact that there is no version. Thinking about the responsibility of this method, should it know what a good default is? Maybe we should simply return a string? and let the consumer decide what they want to use as the default. For example
// SemanticVersionInfo.cs
SemanticVersion = SemanticVersion.Parse(assembly.GetInformationalVersion() ?? "0.0.0");
// OctopusTentacle.cs
public static readonly string InformationalVersion = AssemblyExtensions.GetInformationalVersion(Assembly) ?? "Unknown";
|
Main changes
Green build on the server referencing this tentacle build Remaining discussion points
Future work
|
| @@ -85,8 +85,7 @@ void RunLinuxPackageTestsFor(TestConfigurationOnLinuxDistribution testConfigurat | |||
| new TestConfigurationOnLinuxDistribution(NetCore, "linux-x64", "debian:oldstable-slim", "deb"), | |||
| new TestConfigurationOnLinuxDistribution(NetCore, "linux-x64", "debian:stable-slim", "deb"), | |||
| new TestConfigurationOnLinuxDistribution(NetCore, "linux-x64", "linuxmintd/mint19.3-amd64", "deb"), | |||
| // new TestConfigurationOnLinuxDistribution(NetCore, "linux-x64", "ubuntu:latest", "deb"), // 22.04 doesn't support netcore, https://github.com/dotnet/core/issues/7038 | |||
| // new TestConfigurationOnLinuxDistribution(NetCore, "linux-x64", "ubuntu:rolling", "deb"), // 22.04 doesn't support netcore, https://github.com/dotnet/core/issues/7038 | |||
| new TestConfigurationOnLinuxDistribution(NetCore, "linux-x64", "ubuntu:jammy", "deb"), // 22.04 | |||
There was a problem hiding this comment.
It's helpful to test against latest and rolling because they alert us to problems that are not caught by testing the explicit versions.
There was a problem hiding this comment.
I've added these back and turned them on. I assume when this starts to fail, we'll disable them again until we're ready for the next upgrade?
This reverts commit 7219917.
veochen-octopus
force-pushed
the
veo/net48
branch
from
9ded67d to
533e51e
Compare
|
This pull request has been linked to Shortcut Story #27468: Target .NET Core 6 in Tentacle. |
|
This pull request has been linked to Shortcut Story #12030: Target .NET framework 4.8 in Tentacle. |
This reverts commit cd4af33.
Background
net452is end of support and is preventing us from getting security patches both in the framework itself and 3rd party libraries.net6is also required.Results
Fixes [sc-12030]
Fixes [sc-27468]
Fixes #424
Before
After
How to review this PR
Quality ✔️
Pre-requisites