Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package aws-c-http for openSUSE:Factory checked in at 2026-01-13 21:29:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aws-c-http (Old) and /work/SRC/openSUSE:Factory/.aws-c-http.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aws-c-http" Tue Jan 13 21:29:05 2026 rev:23 rq:1326830 version:0.10.9 Changes: -------- --- /work/SRC/openSUSE:Factory/aws-c-http/aws-c-http.changes 2026-01-09 17:06:57.160606826 +0100 +++ /work/SRC/openSUSE:Factory/.aws-c-http.new.1928/aws-c-http.changes 2026-01-13 21:29:14.822773668 +0100 @@ -1,0 +2,7 @@ +Fri Jan 9 13:22:08 UTC 2026 - John Paul Adrian Glaubitz <[email protected]> + +- Update to 0.10.9 + * Automate the renew of the cert used in test by @TingDaoK in (#540) + * Revert "Fix CI issues" by @azkrishpy in (#542) + +------------------------------------------------------------------- Old: ---- v0.10.8.tar.gz New: ---- v0.10.9.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aws-c-http.spec ++++++ --- /var/tmp/diff_new_pack.h4zvPt/_old 2026-01-13 21:29:15.566804369 +0100 +++ /var/tmp/diff_new_pack.h4zvPt/_new 2026-01-13 21:29:15.570804534 +0100 @@ -20,7 +20,7 @@ %define library_version 1.0.0 %define library_soversion 1_0_0 Name: aws-c-http -Version: 0.10.8 +Version: 0.10.9 Release: 0 Summary: C99 implementation of the HTTP/1.1 and HTTP/2 specifications License: Apache-2.0 ++++++ v0.10.8.tar.gz -> v0.10.9.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-http-0.10.8/.github/workflows/cert-renewal.yml new/aws-c-http-0.10.9/.github/workflows/cert-renewal.yml --- old/aws-c-http-0.10.8/.github/workflows/cert-renewal.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/aws-c-http-0.10.9/.github/workflows/cert-renewal.yml 2026-01-07 00:27:34.000000000 +0100 @@ -0,0 +1,145 @@ +name: Certificate Renewal + +on: + schedule: + # Run on the 1st of every month at 00:00 UTC + # GitHub Actions doesn't support "every 800 days" directly, + # so we check monthly if renewal is needed + - cron: '0 0 1 * *' + workflow_dispatch: # Allow manual triggering + +permissions: + contents: write + pull-requests: write + +jobs: + check-and-renew-certificates: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check certificate expiration + id: check-cert + run: | + # Get the expiration date of the current certificate + CERT_FILE="tests/resources/unittests.crt" + + if [ ! -f "$CERT_FILE" ]; then + echo "Certificate file not found!" + echo "needs_renewal=true" >> $GITHUB_OUTPUT + exit 0 + fi + + # Get certificate expiration date in seconds since epoch + EXPIRY_DATE=$(openssl x509 -enddate -noout -in "$CERT_FILE" | cut -d= -f2) + EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s 2>/dev/null || date -j -f "%b %d %H:%M:%S %Y %Z" "$EXPIRY_DATE" +%s) + + # Get current date in seconds since epoch + CURRENT_EPOCH=$(date +%s) + + # Calculate days until expiration + DAYS_UNTIL_EXPIRY=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 )) + + echo "Certificate expires in $DAYS_UNTIL_EXPIRY days" + + # Renew if less than 30 days until expiration + # This gives us buffer time before the 825-day Apple limit + if [ $DAYS_UNTIL_EXPIRY -lt 30 ]; then + echo "Certificate needs renewal (less than 30 days until expiration)" + echo "needs_renewal=true" >> $GITHUB_OUTPUT + else + echo "Certificate is still valid" + echo "needs_renewal=false" >> $GITHUB_OUTPUT + fi + + - name: Install OpenSSL + if: steps.check-cert.outputs.needs_renewal == 'true' + run: | + sudo apt-get update + sudo apt-get install -y openssl + + - name: Regenerate certificates + if: steps.check-cert.outputs.needs_renewal == 'true' + working-directory: tests/resources + run: | + # Regenerate the certificate (824 days to stay under Apple's 825-day limit) + openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824 + + # Regenerate the PKCS#12 bundle with macOS-compatible encryption + # Using SHA1 and 3DES instead of modern algorithms that macOS Security Framework doesn't support + openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 + + # Verify the new certificate + echo "New certificate details:" + openssl x509 -in unittests.crt -noout -dates -subject + + - name: Check for changes + if: steps.check-cert.outputs.needs_renewal == 'true' + id: check-changes + run: | + if git diff --quiet tests/resources/unittests.crt tests/resources/unittests.p12; then + echo "No changes detected" + echo "has_changes=false" >> $GITHUB_OUTPUT + else + echo "Changes detected" + echo "has_changes=true" >> $GITHUB_OUTPUT + fi + + - name: Create Pull Request + if: steps.check-cert.outputs.needs_renewal == 'true' && steps.check-changes.outputs.has_changes == 'true' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Configure git + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + # Create branch + BRANCH_NAME="cert-renewal-${{ github.run_number }}" + git checkout -b "$BRANCH_NAME" + + # Stage and commit changes + git add tests/resources/unittests.crt tests/resources/unittests.p12 + git commit -m "chore: renew test certificates for 824 days + + Automatically regenerated test certificates to comply with Apple's + 825-day certificate lifetime requirement. + + Generated using: + - openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824 + - openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 + + 🤖 Assisted by GenAI" + + # Push branch + git push origin "$BRANCH_NAME" + + # Create pull request using GitHub CLI + gh pr create \ + --title "chore: renew test certificates" \ + --body "## Certificate Renewal + + This PR automatically renews the test certificates in \`tests/resources/\`. + + ### Changes + - Updated \`tests/resources/unittests.crt\` (renewed for 824 days) + - Updated \`tests/resources/unittests.p12\` (PKCS#12 bundle) + + ### Background + Apple requires that certificate lifetimes be 825 days or less. These certificates are used in unit tests that create TLS connections between localhost server and client. + + ### Verification + The certificates were regenerated using the commands documented in \`tests/resources/unittests.readme\`: + \`\`\`bash + openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824 + openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 + \`\`\` + + ### Testing + Please verify that the unit tests pass with the new certificates before merging. + + --- + 🤖 This PR was automatically generated by the certificate renewal workflow." \ + --base main \ + --head "$BRANCH_NAME" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-http-0.10.8/.github/workflows/ci.yml new/aws-c-http-0.10.9/.github/workflows/ci.yml --- old/aws-c-http-0.10.8/.github/workflows/ci.yml 2025-12-22 23:34:40.000000000 +0100 +++ new/aws-c-http-0.10.9/.github/workflows/ci.yml 2026-01-07 00:27:34.000000000 +0100 @@ -206,6 +206,8 @@ runs-on: macos-14 strategy: fail-fast: false + matrix: + eventloop: ["kqueue", "dispatch_queue"] steps: - uses: aws-actions/configure-aws-credentials@v4 with: @@ -248,6 +250,8 @@ runs-on: macos-14 strategy: fail-fast: false + matrix: + eventloop: ["kqueue", "dispatch_queue"] steps: - uses: aws-actions/configure-aws-credentials@v4 with: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-http-0.10.8/tests/resources/README new/aws-c-http-0.10.9/tests/resources/README --- old/aws-c-http-0.10.8/tests/resources/README 1970-01-01 01:00:00.000000000 +0100 +++ new/aws-c-http-0.10.9/tests/resources/README 2026-01-07 00:27:34.000000000 +0100 @@ -0,0 +1,23 @@ +# README FOR unittests.* files + +These files are used in unit tests that create TLS connections between a +localhost server and client. We use a single self-signed certificate which +serves as both the server's certificate and the client's root CA. + +* unittests.key: private key +* unittests.crt: self-signed certificate +* unittests.conf: configuration for generating unittests.crt +* unittests.p12: pkcs#12 file bundling the certificate and private key. Password is "1234" + +Apple won't trust any certificate whose lifetime is over 825 days. +Once it expires unit tests will start failing and it will need to be updated like so: + +```sh +$ openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824 +$ openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 +``` + +Note: +1. The PKCS#12 command uses SHA1 and 3DES encryption for macOS compatibility. Modern OpenSSL 3.x defaults to algorithms that macOS Security Framework cannot import. Thus, force it fallback to use the algo that the current macOS Security Framework supports. +2. .github/workflows/cert-renewal.yml serves to automatically renew the certifications and runs every month to check if the cert is closer to expire. +If new cert added/changed/removed, the automation scripts also need to be updated accordingly. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-http-0.10.8/tests/resources/unittests.readme new/aws-c-http-0.10.9/tests/resources/unittests.readme --- old/aws-c-http-0.10.8/tests/resources/unittests.readme 2025-12-22 23:34:40.000000000 +0100 +++ new/aws-c-http-0.10.9/tests/resources/unittests.readme 1970-01-01 01:00:00.000000000 +0100 @@ -1,19 +0,0 @@ ---- README FOR unittests.* files --- - -These files are used in unit tests that create TLS connections between a -localhost server and client. We use a single self-signed certificate which -serves as both the server's certificate and the client's root CA. - -unittests.key: private key -unittests.crt: self-signed certificate -unittests.conf: configuration for generating unittests.crt -unittests.p12: pkcs#12 file bundling the certificate and private key. Password is "1234" - -Apple won't trust any certificate whose lifetime is over 825 days. -Once it expires unit tests will start failing and it will need to be updated like so: - -$ openssl req -x509 -new -key unittests.key -config unittests.conf -out unittests.crt -days 824 -$ openssl pkcs12 -export -out unittests.p12 -inkey unittests.key -in unittests.crt -password pass:1234 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 - -Note: The PKCS#12 command uses SHA1 and 3DES encryption for macOS compatibility. -Modern OpenSSL 3.x defaults to algorithms that macOS Security Framework cannot import. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-http-0.10.8/tests/test_connection.c new/aws-c-http-0.10.9/tests/test_connection.c --- old/aws-c-http-0.10.8/tests/test_connection.c 2025-12-22 23:34:40.000000000 +0100 +++ new/aws-c-http-0.10.9/tests/test_connection.c 2026-01-07 00:27:34.000000000 +0100 @@ -735,11 +735,14 @@ tester.wait_client_connection_num = 1; tester.wait_server_connection_num = 1; +#ifndef __APPLE__ /* Server side ALPN doesn't work for MacOS */ ASSERT_FAILS(s_tester_wait(&tester, s_tester_connection_setup_pred)); /* Assert that we have the negotiated protocol and error returned from callback */ ASSERT_TRUE(aws_byte_buf_eq_c_str(&tester.negotiated_protocol, customized_alpn_string)); ASSERT_INT_EQUALS(aws_last_error(), AWS_ERROR_HTTP_UNSUPPORTED_PROTOCOL); - +#else + ASSERT_SUCCESS(s_tester_wait(&tester, s_tester_connection_setup_pred)); +#endif /* clean up */ release_all_client_connections(&tester); release_all_server_connections(&tester); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-http-0.10.8/tests/test_proxy.c new/aws-c-http-0.10.9/tests/test_proxy.c --- old/aws-c-http-0.10.8/tests/test_proxy.c 2025-12-22 23:34:40.000000000 +0100 +++ new/aws-c-http-0.10.9/tests/test_proxy.c 2026-01-07 00:27:34.000000000 +0100 @@ -344,15 +344,8 @@ /* * For tls-enabled tunneling proxy connections: * Test the happy path by verifying CONNECT request, tls upgrade attempt - * TODO: This test is temporarily disabled on Apple platforms following a breaking change - * due to migration to the new Apple Network Framework. Investigations underway for rethinking - * proxy implementation on Apple platforms. Test should be re-enabled post-fix. */ static int s_test_https_tunnel_proxy_connection_success(struct aws_allocator *allocator, void *ctx) { -#if defined(AWS_OS_APPLE) - (void)allocator; - return AWS_OP_SKIP; -#endif (void)ctx; struct mocked_proxy_test_options options = {
