rnpgp · ni4 · May 3, 2024 · May 2, 2023 · May 3, 2023 · May 3, 2023
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -23,17 +23,17 @@
 # POSSIBILITY OF SUCH DAMAGE.
 
 freebsd_instance:
-  image: freebsd-12-3-release-amd64
+  image: freebsd-13-2-release-amd64
 
 task:
   name: build
   only_if: $CIRRUS_BRANCH == 'main' || $CIRRUS_BRANCH =~ 'release/.*' || $CIRRUS_PR != ''
   skip: "!changesInclude('.cirrus.yml') && changesIncludeOnly('/*.sh', '/.*', '/_*', 'Brewfile', 'docs/**', '**.adoc', '**.md', '**.nix', 'flake.lock', '.github/**') || $CIRRUS_CHANGE_MESSAGE =~ '.*skip ci.*'"
   env:
     matrix:
-      - { CIRRUS_CLONE_SUBMODULES: true, CRYPTO_BACKEND: openssl, CRYPTO_LIB_INSTALL: openssl, SHARED_LIBS: on   }
-      - { CIRRUS_CLONE_SUBMODULES: true, CRYPTO_BACKEND: botan,   CRYPTO_LIB_INSTALL: botan2,  SHARED_LIBS: on   }
-      - { CIRRUS_CLONE_SUBMODULES: true, CRYPTO_BACKEND: botan,   CRYPTO_LIB_INSTALL: botan2,  SHARED_LIBS: off  }
+      - { CIRRUS_CLONE_SUBMODULES: true, CRYPTO_BACKEND: openssl, CRYPTO_LIB_INSTALL: openssl, SHARED_LIBS: on,  RNP_LOG_CONSOLE: 1 }
+      - { CIRRUS_CLONE_SUBMODULES: true, CRYPTO_BACKEND: botan,   CRYPTO_LIB_INSTALL: botan2,  SHARED_LIBS: on,  RNP_LOG_CONSOLE: 1 }
+      - { CIRRUS_CLONE_SUBMODULES: true, CRYPTO_BACKEND: botan,   CRYPTO_LIB_INSTALL: botan2,  SHARED_LIBS: off, RNP_LOG_CONSOLE: 1 }
 
   dependencies_script: |
     pkg install -y gcc cmake pkgconf googletest gnupg $CRYPTO_LIB_INSTALL json-c rubygem-asciidoctor

diff --git a/.github/workflows/centos-and-fedora.yml b/.github/workflows/centos-and-fedora.yml
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -5,13 +5,6 @@ on:
     # every day at 9:00 UTC
     - cron: '0 9 * * *'
 
-env:
-  CORES: 2
-  BUILD_MODE: normal
-  GPG_VERSION: stable
-  RNP_TESTS: ''
-  USE_STATIC_DEPENDENCIES: yes
-
 jobs:
   scan:
     runs-on: ubuntu-latest
@@ -21,43 +14,23 @@ jobs:
         with:
           fetch-depth: 1
           submodules: true
-      - name: Setup environment
-        run: |
-          . ci/gha/setup-env.inc.sh
-          ci/install_noncacheable_dependencies.sh
-      - name: Cache
-        id: cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ env.CACHE_DIR }}
-          key: ${{ github.workflow }}-${{ runner.os }}-${{ env.BUILD_MODE }}-gpg-${{ env.GPG_VERSION }}-${{ hashFiles('ci/**') }}-${{ hashFiles('.github/workflows/**') }}
-      - name: Build cache
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: |
-          set -x
-          ci/install_cacheable_dependencies.sh botan jsonc
-      - name: Download Coverity
-        env:
-          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
-        run: |
-          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=$GITHUB_REPOSITORY" -O cov-analysis-linux64.tar.gz
-          mkdir cov-analysis-linux64
-          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
-      - name: Build
+
+      - name: Install dependencies
         run: |
-          set -x
-          export PATH="$PWD/cov-analysis-linux64/bin:$PATH"
-          cov-build --dir cov-int ci/main.sh
-      - name: Submit
-        env:
-          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+          sudo apt-get -y update
+          sudo apt-get -y install cmake libjson-c-dev libbotan-2-dev asciidoctor
+
+      - name: Configure
         run: |
-          tar czvf results.tgz cov-int
-          curl \
-            --form project=$GITHUB_REPOSITORY \
-            --form token=$TOKEN \
-            --form [email protected] \
-            --form [email protected] \
-            --form version=$GITHUB_REF \
-            --form description=$GITHUB_SHA \
-            https://scan.coverity.com/builds?project=$GITHUB_REPOSITORY
+          echo CORES="$(nproc --all)" >> $GITHUB_ENV
+          cmake -B build   -DBUILD_SHARED_LIBS=ON      \
+                           -DCRYPTO_BACKEND=botan      \
+                           -DDOWNLOAD_GTEST=ON         \
+                           -DCMAKE_BUILD_TYPE=Release  .
+
+      - name: Coverity Scan
+        uses: vapier/coverity-scan-action@v1
+        with:
+          email: [email protected]
+          token: ${{ secrets.COVERITY_SCAN_TOKEN }}
+          command: cmake --build build --parallel $CORES
diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
@@ -38,101 +38,71 @@ env:
   LANG: C.UTF-8
   LC_ALL: C.UTF-8
   LC_LANG: C.UTF-8
-  CMAKE_VER: '3.20.6-2'
-  BUILD_MODE: normal
-  GPG_VERSION: stable
-  SUDO: ""
-  USE_STATIC_DEPENDENCIES: yes
   RNP_LOG_CONSOLE: 1
 
 jobs:
   tests:
-    name: ${{ matrix.image.container }} [CC ${{ matrix.env.CC }}; backend ${{ matrix.image.backend }}; GnuPG stable]
+    name: ${{ matrix.image.container }} [CC ${{ matrix.env.CC }}; backend ${{ matrix.image.backend }}; GnuPG system-shipped]
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     timeout-minutes: 120
     strategy:
       fail-fast: false
       matrix:
         image:
-          - { container: 'i386/debian:11',  cpu: 'i386',   arch: 'ia32',   backend: 'botan'   }
-          - { container: 'i386/debian:11',  cpu: 'i386',   arch: 'ia32',   backend: 'openssl' }
-          - { container: 'amd64/debian:11', cpu: 'x86_64', arch: 'x64',    backend: 'botan'   }
-          - { container: 'amd64/debian:11', cpu: 'x86_64', arch: 'x64',    backend: 'openssl' }
-          - { container: 'i386/debian:10',  cpu: 'i386',   arch: 'ia32',   backend: 'botan'   }
+          - { container: 'debian-11-i386',  cpu: 'i386',   backend: 'botan'   }
+          - { container: 'debian-11-i386',  cpu: 'i386',   backend: 'openssl' }
+          - { container: 'debian-11-amd64', cpu: 'x86_64', backend: 'botan'   }
+          - { container: 'debian-11-amd64', cpu: 'x86_64', backend: 'openssl' }
+          - { container: 'debian-12-amd64', cpu: 'x86_64', backend: 'botan'   }
+          - { container: 'debian-12-amd64', cpu: 'x86_64', backend: 'openssl' }
+          - { container: 'debian-10-i386',  cpu: 'i386',   backend: 'botan'   }
         env:
           - { CC: 'gcc',   CXX: 'g++'     }
           - { CC: 'clang', CXX: 'clang++' }
 
-    container: ${{ matrix.image.container }}
+    container: ghcr.io/rnpgp/ci-rnp-${{ matrix.image.container }}
 
     env: ${{ matrix.env }}
     steps:
-      - name: Install prerequisites
-        run: |
-          apt update
-          apt -y install git sudo wget
-
-      - name: Setup environment
-        shell: bash
-        # rnpuser is only needed for rnpkeys_generatekey_verifykeyHomeDirNoPermission test
-        run: |
-          set -x
-          echo IMAGE=${{ matrix.image.container }} >> $GITHUB_ENV
-          echo CPU=${{ matrix.image.cpu }} >> $GITHUB_ENV
-          echo CRYPTO_BACKEND=${{ matrix.image.backend }} >> $GITHUB_ENV
-          echo "SUDO=sudo" >> $GITHUB_ENV
-          useradd rnpuser
-          printf "\nrnpuser\tALL=(ALL)\tNOPASSWD:\tALL" > /etc/sudoers.d/rnpuser
-          printf "\nrnpuser\tsoft\tnproc\tunlimited\n" > /etc/security/limits.d/30-rnpuser.conf
-
       - name: Checkout on x86_x64
-        if: env.CPU == 'x86_64'
+        if: matrix.image.cpu == 'x86_64'
         uses: actions/checkout@v3
         with:
           submodules: true
 
       - name: Checkout on i386
-        if: env.CPU == 'i386'
+        if: matrix.image.cpu == 'i386'
         uses: actions/checkout@v1
         with:
           submodules: true
 
-      - name: Install cmake
-        run: |
-          wget -nv https://github.com/xpack-dev-tools/cmake-xpack/releases/download/v${{ env.CMAKE_VER }}/xpack-cmake-${{ env.CMAKE_VER }}-linux-${{ matrix.image.arch }}.tar.gz
-          tar -zxf xpack-cmake-${{ env.CMAKE_VER }}-linux-${{ matrix.image.arch }}.tar.gz --directory /usr/local --strip-components=1 --skip-old-files
-
-      - name: Setup noncacheable dependencies
+      - name: Setup environment
         shell: bash
+        # rnpuser is only needed for rnpkeys_generatekey_verifykeyHomeDirNoPermission test
         run: |
-          . ci/gha/setup-env.inc.sh
-          ci/install_noncacheable_dependencies.sh
-
-      - name: Cache
-        id: cache
-        uses: actions/cache@v3
-        if: env.CPU == 'x86_64'
-        with:
-          path: ${{github.workspace}}/${{ env.CACHE_DIR }}
-          key: ${{ matrix.image.container }}-${{ matrix.env.CC }}-${{ matrix.image.backend }}-${{ hashFiles('ci/**') }}-${{ hashFiles('.github/workflows/debian.yml') }}
+          useradd rnpuser
+          printf "\nrnpuser\tALL=(ALL)\tNOPASSWD:\tALL" > /etc/sudoers.d/rnpuser
+          printf "\nrnpuser\tsoft\tnproc\tunlimited\n" > /etc/security/limits.d/30-rnpuser.conf
 
-      - name: Setup cacheable dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
-        shell: bash
+      - name: Configure
         run: |
-          set -euxo pipefail
-          ci/install_cacheable_dependencies.sh
+          cmake -B build                                           \
+                -DBUILD_SHARED_LIBS=ON                             \
+                -DCRYPTO_BACKEND=${{ matrix.image.backend }}       \
+                -DDOWNLOAD_GTEST=ON                                \
+                -DCMAKE_BUILD_TYPE=Release                         .
 
-      - name: Build and Test
-        shell: bash
+      - name: Build
+        run: cmake --build build --parallel ${{ env.CORES }}
+
+      - name: Test
         run: |
-          set -x
+          mkdir -p "build/Testing/Temporary"
+          cp "cmake/CTestCostData.txt" "build/Testing/Temporary"
+          export PATH="$PWD/build/src/lib:$PATH"
           chown -R rnpuser:rnpuser $PWD
-          exec su rnpuser -c ci/run.sh
+          exec su rnpuser -c "ctest --parallel ${{ env.CORES }} --test-dir build --output-on-failure"
 
       - name: Package
-        run: |
-          set -x
-          cd ${LOCAL_BUILDS}/rnp-build
-          cpack -G DEB -D CPACK_DEBIAN_PACKAGE_SHLIBDEPS_PRIVATE_DIRS="${BOTAN_INSTALL}/lib;${JSONC_INSTALL}/lib;${GPG_INSTALL}/lib"
+        run: cpack -G DEB -B debian --config build/CPackConfig.cmake
diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
@@ -31,7 +31,7 @@ jobs:
       uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
       with:
         oss-fuzz-project-name: 'rnp'
-        fuzz-seconds: 1800
+        fuzz-seconds: 300
         dry-run: false
     - name: Upload Crash
       uses: actions/upload-artifact@v2

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2023 [Ribose Inc](https://www.ribose.com).
+# Copyright (c) 2023-2024 [Ribose Inc](https://www.ribose.com).
 # All rights reserved.
 # This file is a part of rnp
 #
@@ -57,7 +57,8 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  BOTAN_VERSION: 2.19.3
+  BOTAN_VERSION: 2.19.4
+  CORES: 3
 
 jobs:
   tests:
@@ -67,13 +68,14 @@ jobs:
       fail-fast: false
       matrix:
 # On MacOS gcc is alias of clang these days
-        os: [ macos-11, macos-12 ]
+        os: [ macos-12, macos-13, macos-14 ]
         backend: [ 'botan' ]
         shared_libs: [ 'on' ]
         include:
           - { os: 'macos-11', backend: '[email protected]', shared_libs: 'on' }
-          - { os: 'macos-12', backend: 'openssl@3', shared_libs: 'on' }
-          - { os: 'macos-12', backend: 'botan', shared_libs: 'off' }
+          - { os: 'macos-14', backend: 'openssl@3', shared_libs: 'on' }
+          - { os: 'macos-14', backend: 'botan', shared_libs: 'off' }
+          - { os: 'macos-14', backend: 'botan3', shared_libs: 'on' }
 
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     timeout-minutes: 250
@@ -98,14 +100,6 @@ jobs:
           echo "OPENSSL_ROOT_DIR=$(brew --prefix openssl@3)" >> $GITHUB_ENV
           echo "CRYPTO_BACKEND=openssl" >> $GITHUB_ENV
 
-#      Brew installs Botan3 now and it is not supported yet
-#
-#      - name: Configure botan backend
-#        if: ${{ matrix.backend == 'botan' }}
-#        run: |
-#          echo "brew \"botan\"" >> Brewfile
-#          echo "CRYPTO_BACKEND=botan" >> $GITHUB_ENV
-
       - name: Install dependencies
         run: brew bundle
 
@@ -133,6 +127,11 @@ jobs:
           sudo make install
           cd ..
 
+      - name: Install Botan3
+        if:  matrix.backend == 'botan3'
+        run: |
+          brew install botan
+
       - name: Configure
         run: |
           echo "CORES=$(sysctl -n hw.ncpu)" >> $GITHUB_ENV
@@ -141,6 +140,7 @@ jobs:
                          -DCMAKE_BUILD_TYPE=Release                      \
                          -DCMAKE_INSTALL_PREFIX="$PWD/rnp-install"       \
                          -DDOWNLOAD_GTEST=OFF                            \
+                         -DCMAKE_CXX_FLAGS="-DS2K_MINIMUM_TUNING_RATIO=4"\
                          -DCRYPTO_BACKEND=${{ env.CRYPTO_BACKEND }}      .
 
       - name: Build

diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
@@ -39,7 +39,7 @@ jobs:
         with:
           fetch-depth: 1
           submodules: true
-      - uses: cachix/install-nix-action@v15
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - run: nix build .?submodules=1