Skip to content

[release/10.0] Backport Replace test certificate chain that uses RSA+SHA-1 #121665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 19, 2025
Merged

[release/10.0] Backport Replace test certificate chain that uses RSA+SHA-1 #121665

merged 8 commits into from
Nov 19, 2025

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Nov 15, 2025

Backport of #121450 to release/10.0

cc @bartonjs

Customer Impact

These are test only changes. These changes react to more environments in CI rejecting certificate chains that use an RSA+SHA-1 root certificate.

  • Customer reported
  • Found internally

Regression

  • Yes
  • No

Testing

Tests that were failing are now passing in CI.

Risk

None, test only changes.

@vcsjones vcsjones added this to the 10.0.x milestone Nov 15, 2025
@vcsjones vcsjones requested a review from bartonjs November 15, 2025 17:58
@vcsjones vcsjones self-assigned this Nov 15, 2025
Copilot AI review requested due to automatic review settings November 15, 2025 17:58
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Nov 15, 2025

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot finished reviewing on behalf of vcsjones November 15, 2025 18:00
@vcsjones
Copy link
Member Author

vcsjones commented Nov 15, 2025

For what it’s worth this backported cleanly, but the backport command could not backport from a fork because my fork had some refs that were not available in the runtime repository. The patch applied just fine when both remotes were in the index.

Copilot AI reviewed Nov 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR backports certificate test data updates from the main branch to release/10.0, replacing an RSA+SHA-1 certificate chain (Baltimore CyberTrust Root) with an RSA+SHA-256 certificate chain (DigiCert Global Root G2) to address CI test failures due to increasing SHA-1 rejection in test environments.

  • Updates test certificate chain from Baltimore CyberTrust Root to DigiCert Global Root G2
  • Adjusts test data including hostnames, verification times, and expected cryptographic values
  • Removes platform-specific workarounds no longer needed with the new certificate

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
MatchesHostnameTests.cs Updates test hostnames to match SANs in new certificate (e.g., www.microsoft.com.au, copilot.ai, yarp.dot.net)
AuthorityKeyIdentifierTests.cs Updates expected authority key identifier hex values to match new certificate chain
CollectionTests.cs Updates verification times from 2021-02-26 to 2025-12-25 to fall within new certificate validity period
ChainTests.cs Updates verification times throughout tests, removes SHA-1 signature support checks, simplifies platform detection logic
TestData.cs Replaces MicrosoftDotComSslCertBytes, MicrosoftDotComIssuerBytes, and MicrosoftDotComRootBytes with new certificate chain data

@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Nov 15, 2025
@bartonjs
Copy link
Member

bartonjs commented Nov 15, 2025

@artl93 Test-only change

@jeffhandley
Copy link
Member

jeffhandley commented Nov 18, 2025

/ba-g Unrelated failures with "This is a helix work item crash with status: DeadLetter"

@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Nov 18, 2025
@rbhanda rbhanda modified the milestones: 10.0.x, 10.0.2 Nov 18, 2025
@rbhanda rbhanda added the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Nov 18, 2025
@ViktorHofer ViktorHofer removed the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Nov 18, 2025
@ViktorHofer
Copy link
Member

ViktorHofer commented Nov 18, 2025

This is tell-mode only. Merge at any time.

@ViktorHofer ViktorHofer modified the milestones: 10.0.2, 10.0.x Nov 18, 2025
@vcsjones
Copy link
Member Author

vcsjones commented Nov 19, 2025

Merge at any time.

I don't know who has permission to do this, but it's not me.

@ViktorHofer ViktorHofer merged commit b9d8d8f into release/10.0 Nov 19, 2025
99 of 107 checks passed
@ViktorHofer ViktorHofer deleted the backport-121450 branch November 19, 2025 21:12
@dotnet-maestro dotnet-maestro bot mentioned this pull request Nov 19, 2025
Merged
@ViktorHofer ViktorHofer modified the milestones: 10.0.x, 10.0.2 Nov 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jeffhandley jeffhandley jeffhandley approved these changes

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security Servicing-approved Approved for servicing release

Projects

None yet

Milestone

10.0.2

Development

Successfully merging this pull request may close these issues.

6 participants

@vcsjones @bartonjs @jeffhandley @ViktorHofer @rbhanda