From 6ccb8fd7891945d69499758ed80a30ebe15df77d Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Wed, 15 Dec 2021 08:09:17 +0100 Subject: [PATCH] TT#155450 github/coverity: provide workaround for incomplete SSL chain The recent SSL certificate change on https://scan.coverity.com/ causes an incomplete SSL chain setup, as the "Entrust Certification Authority - L1K" certificate isn't included: | % curl --verbose https://scan.coverity.com/download/cxx/linux64 | * Trying 45.60.34.99:443... | * Connected to scan.coverity.com (45.60.34.99) port 443 (#0) | [...] | * TLSv1.3 (OUT), TLS alert, unknown CA (560): | * SSL certificate problem: unable to get local issuer certificate | * Closing connection 0 | curl: (60) SSL certificate problem: unable to get local issuer certificate | More details here: https://curl.se/docs/sslcerts.html | | % echo | openssl s_client -connect scan.coverity.com:443 2>/dev/null | CONNECTED(00000003) | --- | Certificate chain | 0 s:C = US, ST = California, L = Mountain View, O = "Synopsys, Inc.", CN = scan.coverity.com | i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K | --- | Server certificate | [...] | subject=C = US, ST = California, L = Mountain View, O = "Synopsys, Inc.", CN = scan.coverity.com | | issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K | | --- | No client certificate CA names sent | Peer signing digest: SHA256 | Peer signature type: RSA-PSS | Server Temp Key: X25519, 253 bits | --- | SSL handshake has read 2301 bytes and written 373 bytes | Verification error: unable to verify the first certificate | --- | New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 | Server public key is 2048 bit | Secure Renegotiation IS NOT supported | Compression: NONE | Expansion: NONE | No ALPN negotiated | Early data was not sent | Verify return code: 21 (unable to verify the first certificate) | --- We informed coverity about it, but unless this gets fixed we need a workaround for this, otherwise we have failing GitHub actions due to failing downloads of https://scan.coverity.com/download/cxx/linux64. Change-Id: I53ccac2745bfc80d229598f669312aa5722ed50b --- .github/workflows/coverity.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 353efc422..79f749b0f 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -29,7 +29,11 @@ jobs: - name: Get coverity scan run: | - curl -o cov-analysis.tgz \ + # scan.coverity.com uses an incomplete certificate chain, so provide intermediate cert + curl -o entrust_l1k.cer https://web.entrust.com/root-certificates/entrust_l1k.cer + curl \ + --cacert ./entrust_l1k.cer \ + -o cov-analysis.tgz \ $COVERITY_SCAN_PROG_URL \ --form project=$COVERITY_SCAN_PROJECT_NAME \ --form token=$COVERITY_SCAN_TOKEN @@ -45,8 +49,11 @@ jobs: - name: Submit result run: | + # scan.coverity.com uses an incomplete certificate chain, so provide intermediate cert + curl -o entrust_l1k.cer https://web.entrust.com/root-certificates/entrust_l1k.cer tar cfz cov-int.tar.gz cov-int curl \ + --cacert ./entrust_l1k.cer \ https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME \ --form token=$COVERITY_SCAN_TOKEN \ --form email=$COVERITY_SCAN_NOTIFICATION_EMAIL \