TT#155450 github/coverity: provide workaround for incomplete SSL chain

The recent SSL certificate change on https://scan.coverity.com/ causes an incomplete SSL chain setup, as the "Entrust Certification Authority - L1K" certificate isn't included: | % curl --verbose https://scan.coverity.com/download/cxx/linux64 | * Trying 45.60.34.99:443... | * Connected to scan.coverity.com (45.60.34.99) port 443 (#0) | [...] | * TLSv1.3 (OUT), TLS alert, unknown CA (560): | * SSL certificate problem: unable to get local issuer certificate | * Closing connection 0 | curl: (60) SSL certificate problem: unable to get local issuer certificate | More details here: https://curl.se/docs/sslcerts.html | | % echo | openssl s_client -connect scan.coverity.com:443 2>/dev/null | CONNECTED(00000003) | --- | Certificate chain | 0 s:C = US, ST = California, L = Mountain View, O = "Synopsys, Inc.", CN = scan.coverity.com | i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K | --- | Server certificate | [...] | subject=C = US, ST = California, L = Mountain View, O = "Synopsys, Inc.", CN = scan.coverity.com | | issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K | | --- | No client certificate CA names sent | Peer signing digest: SHA256 | Peer signature type: RSA-PSS | Server Temp Key: X25519, 253 bits | --- | SSL handshake has read 2301 bytes and written 373 bytes | Verification error: unable to verify the first certificate | --- | New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 | Server public key is 2048 bit | Secure Renegotiation IS NOT supported | Compression: NONE | Expansion: NONE | No ALPN negotiated | Early data was not sent | Verify return code: 21 (unable to verify the first certificate) | --- We informed coverity about it, but unless this gets fixed we need a workaround for this, otherwise we have failing GitHub actions due to failing downloads of https://scan.coverity.com/download/cxx/linux64. Change-Id: I53ccac2745bfc80d229598f669312aa5722ed50b
4 years ago · 6ccb8fd789
parent 11549cc3a2
commit 6ccb8fd789
1 changed files with 8 additions and 1 deletions
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@ -29,7 +29,11 @@ jobs:

      - name: Get coverity scan
        run: |
-          curl -o cov-analysis.tgz \
+          # scan.coverity.com uses an incomplete certificate chain, so provide intermediate cert
+          curl -o entrust_l1k.cer https://web.entrust.com/root-certificates/entrust_l1k.cer
+          curl \
+            --cacert ./entrust_l1k.cer \
+            -o cov-analysis.tgz \
            $COVERITY_SCAN_PROG_URL \
            --form project=$COVERITY_SCAN_PROJECT_NAME \
            --form token=$COVERITY_SCAN_TOKEN
@ -45,8 +49,11 @@ jobs:

      - name: Submit result
        run: |
+          # scan.coverity.com uses an incomplete certificate chain, so provide intermediate cert
+          curl -o entrust_l1k.cer https://web.entrust.com/root-certificates/entrust_l1k.cer
          tar cfz cov-int.tar.gz cov-int
          curl \
+            --cacert ./entrust_l1k.cer \
            https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME \
            --form token=$COVERITY_SCAN_TOKEN \
            --form email=$COVERITY_SCAN_NOTIFICATION_EMAIL \