Re: [OE-core] [PATCH 03/18] mesa: update 22.0.3 -> 22.1.2

Thu, 23 Jun 2022 08:35:39 -0700 

On Thu, Jun 23, 2022 at 5:27 PM Martin Jansa <martin.ja...@gmail.com> wrote:

> On Tue, Jun 21, 2022 at 10:16 PM Alexander Kanavin <alex.kana...@gmail.com>
> wrote:
>
>> Signed-off-by: Alexander Kanavin <a...@linutronix.de>
>> ---
>>  ...wkmsDRI2Extension-instead-of-driDRI2.patch | 113 ++++++++++++++++++
>>  .../{mesa-gl_22.0.3.bb => mesa-gl_22.1.2.bb}  |   0
>>  meta/recipes-graphics/mesa/mesa.inc           |   3 +-
>>  .../mesa/{mesa_22.0.3.bb => mesa_22.1.2.bb}   |   0
>>  4 files changed, 115 insertions(+), 1 deletion(-)
>>  create mode 100644
>> meta/recipes-graphics/mesa/files/0001-swrast_kms-use-swkmsDRI2Extension-instead-of-driDRI2.patch
>>  rename meta/recipes-graphics/mesa/{mesa-gl_22.0.3.bb =>
>> mesa-gl_22.1.2.bb} (100%)
>>  rename meta/recipes-graphics/mesa/{mesa_22.0.3.bb => mesa_22.1.2.bb}
>> (100%)
>>
>
> FYI: in case more host systems are affected
>
> While building this, I've noticed
> WARNING: Failed to fetch URL
> https://mesa.freedesktop.org/archive/mesa-22.1.2.tar.xz, attempting
> MIRRORS if available
>
> log.do_fetch shows why:
>
> Resolving mesa.freedesktop.org... 147.75.198.156
> Connecting to mesa.freedesktop.org|147.75.198.156|:443... connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://archive.mesa3d.org//mesa-22.1.2.tar.xz [following]
> --2022-06-23 12:29:58--  https://archive.mesa3d.org//mesa-22.1.2.tar.xz
> Resolving archive.mesa3d.org... 131.252.210.176,
> 2610:10:20:722:a800:ff:feda:470f
> Connecting to archive.mesa3d.org|131.252.210.176|:443... connected.
> ERROR: The certificate of ‘archive.mesa3d.org’ is not trusted.
> ERROR: The certificate of ‘archive.mesa3d.org’ doesn't have a known
> issuer.
>
> In browser it's considered valid certificate with issuer:
> Common Name (CN) R3
> Organization (O) Let's Encrypt
> Organizational Unit (OU) <Not Part Of Certificate>
>
> Do we need ca-certificates update? But I guess it's host issue (this was
> on gentoo with ca-certificates 20211016.3.79), on ubuntu 22.10 and debian
> 11.3 it works fine:
>
> Initiating SSL handshake.
> Handshake successful; connected socket 4 to SSL handle 0x000056094b80f8c0
> certificate:
>   subject: CN=archive.mesa3d.org
>   issuer:  CN=R3,O=Let's Encrypt,C=US
> X509 certificate successfully verified and matches host archive.mesa3d.org
>
> and in OE built image with:
> meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
> I didn't get that far yet :)
>
> root@qemux86-64:~# wget
> https://mesa.freedesktop.org/archive/mesa-22.1.2.tar.xz
> Connecting to mesa.freedesktop.org (147.75.198.156:443)
> wget: note: TLS certificate validation not implemented
> Connecting to archive.mesa3d.org (131.252.210.176:443)
> wget: TLS error from peer (alert code 80): 80
> wget: error getting response: Connection reset by peer
>
> The --debug in gentoo wasn't showing the details about certificate just:
> Resolving archive.mesa3d.org... 131.252.210.176,
> 2610:10:20:722:a800:ff:feda:470f
> Caching archive.mesa3d.org => 131.252.210.176
> 2610:10:20:722:a800:ff:feda:470f
> Connecting to archive.mesa3d.org|131.252.210.176|:443... connected.
> Created socket 4.
> Releasing 0x000055e5d4567460 (new refcount 1).
> ERROR: The certificate of ‘archive.mesa3d.org’ is not trusted.
> ERROR: The certificate of ‘archive.mesa3d.org’ doesn't have a known
> issuer.
>
> Then I've disabled gnutls support in wget and now net-misc/wget-1.21.3-r1
> works fine again (like in ubuntu/debian):
>
> Resolving archive.mesa3d.org... 131.252.210.176,
> 2610:10:20:722:a800:ff:feda:470f
> Caching archive.mesa3d.org => 131.252.210.176
> 2610:10:20:722:a800:ff:feda:470f
> Connecting to archive.mesa3d.org|131.252.210.176|:443... connected.
> Created socket 4.
> Releasing 0x000055903f10ebd0 (new refcount 1).
> Initiating SSL handshake.
> Handshake successful; connected socket 4 to SSL handle 0x000055903f0f4e50
> certificate:
>   subject: CN=archive.mesa3d.org
>   issuer:  CN=R3,O=Let's Encrypt,C=US
> X509 certificate successfully verified and matches host archive.mesa3d.org
>
> I'll check how gnutls USE flag affects this, just in case someone is
> seeing a lot of downloads from mirror, check your wget.
>

Looks like it's caused by https://gitlab.com/gnutls/gnutls/-/issues/1131
and  https://gitlab.com/gnutls/gnutls/-/issues/1335

mesa.freedesktop.org works but archive.mesa3d.org doesn't, gnutls-cli
better shows why:

$ gnutls-cli mesa.freedesktop.org
Processed 136 CA certificate(s).
Resolving 'mesa.freedesktop.org:443'...
Connecting to '147.75.198.156:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=pages.freedesktop.org', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x03a7a60e015c33d4ea520f1703fe373b4df3, RSA key 2048 bits, signed
using RSA-SHA256, activated `2022-06-05 04:00:39 UTC', expires `2022-09-03
04:00
:38 UTC', pin-sha256="NjMC418mQlGvPW2NxT5dwc97mvcIpiITkEN2o0bzAsc="
        Public Key ID:
                sha1:2cec883f93f73aba2709295790ca783cdf8de008

sha256:363302e35f264251af3d6d8dc53e5dc1cf7b9af708a62213904376a346f302c7
        Public Key PIN:
                pin-sha256:NjMC418mQlGvPW2NxT5dwc97mvcIpiITkEN2o0bzAsc=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet
Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a,
RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00
UT
C', expires `2025-09-15 16:00:00 UTC',
pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US',
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using
RSA-SHA256, activated `202
1-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC',
pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.
- Description:
(TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID:
2D:A2:CA:0F:A3:0F:F3:D3:BE:B8:79:10:53:28:A0:78:C3:F8:C6:C8:5A:A8:13:00:DF:E2:85:AF:61:26:49:36
- Options:
- Handshake was completed


$ gnutls-cli archive.mesa3d.org
Processed 136 CA certificate(s).
Resolving 'archive.mesa3d.org:443'...
Connecting to '131.252.210.176:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=archive.mesa3d.org', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x034b691f41ef93f5d205f6678f5e065a9975, RSA key 2048 bits, signed
using RSA-SHA256, activated `2022-05-05 00:25:27 UTC', expires `2022-08-03
00:25:26
 UTC', pin-sha256="qg5rLg63UE4MvpjUZp40sqzqc4YJH3Fc3yv9EKQKkD0="
        Public Key ID:
                sha1:8bbb9c1cef01c1ec2ae8c50bb720045e7a9427a2

sha256:aa0e6b2e0eb7504e0cbe98d4669e34b2acea7386091f715cdf2bfd10a40a903d
        Public Key PIN:
                pin-sha256:qg5rLg63UE4MvpjUZp40sqzqc4YJH3Fc3yv9EKQKkD0=

- Certificate[1] info:
 - subject `CN=archive.mesa3d.org', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x034b691f41ef93f5d205f6678f5e065a9975, RSA key 2048 bits, signed
using RSA-SHA256, activated `2022-05-05 00:25:27 UTC', expires `2022-08-03
00:25:26
 UTC', pin-sha256="qg5rLg63UE4MvpjUZp40sqzqc4YJH3Fc3yv9EKQKkD0="
- Certificate[2] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet
Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a,
RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00
UT
C', expires `2025-09-15 16:00:00 UTC',
pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US',
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using
RSA-SHA256, activated `202
1-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC',
pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is
unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#167275): 
https://lists.openembedded.org/g/openembedded-core/message/167275
Mute This Topic: https://lists.openembedded.org/mt/91908380/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to