Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prepare for release 0.23.0 #2426

Closed
dengert opened this issue Nov 2, 2021 · 22 comments
Closed

Prepare for release 0.23.0 #2426

dengert opened this issue Nov 2, 2021 · 22 comments
Projects
Release 0.23.0

Comments

@dengert
Copy link
Member

dengert commented Nov 2, 2021
edited by Jakuje
Loading

As proposed in note from OpenSC developers, release 0.23.0 will follow a security release 0.22.1.

The intent is to add to master, current PRs and address issues long before a release is created. By adding these early they will get additional testing by developers and users. In the past we have waited until a release candidate was announced to add last minute changes

The initial list of ToDo's include those that appear to be ready to add or need to be addressed.

Please, let me know if we missed something or if there is something which should go in before release.
@OpenSC/opensc-maintainers, @OpenSC/core, @OpenSC/maintainers,

Draft release notes (thanks Veronika!):

General improvements

PKCS#11

pkcs11-tool

sc-hsm-tool

Minidriver

NQ-Applet

ItaCNS

Belpic

Starcos

ePass2003

MyEID

GIDS

OpenPGP

nPA
@dengert dengert added this to To do in Release 0.23.0 Nov 2, 2021
@dlegaultbbry
Copy link
Contributor

Hello,

Is there a timeline somewhere for this new version because the current one is broken when trying to compile against openssl 3.0.X.

For example, I'm currently blocked on this: f214e65

But I'm sure I'll stumble on other issues after that one.

@dengert
Copy link
Member Author

dengert commented Apr 1, 2022

@frankmorgner @Jakuje when do you expect to have the next release? It has been almost 5 months since this issue was created.

@dengert
Copy link
Member Author

dengert commented Apr 1, 2022

@dlegaultbbry Are you compiling against a specific release or from github master.

@dlegaultbbry
Copy link
Contributor

@dengert I'm using 0.22 currently but was doing so with openssl 1.1.1. We're moving to 3.0 which is now an official released and LTS version hence why I'm asking.

@Jakuje
Copy link
Member

Jakuje commented Apr 1, 2022

I think we should do it before the summer so in coming months, if possible. The last release was in August (time flies) and since then we had over 400 commits in master.

In https://github.com/OpenSC/OpenSC/projects/10 there are noteworthy changes around formatting and around PIV SM, which I agree that they should go in. I added also #2473 which would be great have, but I am not sure if I have enough expertise to decide the design is correct, but it looks reasonable.

@dengert
Copy link
Member Author

dengert commented Apr 1, 2022

@Jakuje I agree it needs to be done, the sooner the better. I am not pushing for PIV SM to be in next release. I would rather have it committed after the next release. I don't like seeing big changes added just before a release. (But I am not doing the release and an happy with Frank and you doing it.)

I would like to see #2506 and #2518 in next release. And maybe #2523 but would like @metsma and @vletoux to look at it closer as it deals with how the minidriver is installed which caused the ECC code not to work on Windows.

@dlegaultbbry was specifically asking about OpenSSL 3.0 changes. I think we have most of them committed accept for #2506.

@xhanulik
Copy link
Contributor

xhanulik commented Jul 12, 2022
edited
Loading

Here is a draft of release notes for the upcoming release with https://github.com/OpenSC/OpenSC/projects/10 and other changes since the last release. Feel free to fix/remove what I've missed or propose other relevant PRs.

General improvements

PKCS#11

pkcs11-tool

sc-hsm-tool

Minidriver

NQ-Applet

ItaCNS

Belpic

Starcos

ePass2003

MyEID

GIDS

OpenPGP

nPA

@dlegaultbbry
Copy link
Contributor

Any eta on the release of this new version?

@Jakuje
Copy link
Member

Jakuje commented Sep 24, 2022

Any eta on the release of this new version?

I would love to get the RC out in coming weeks, rather earlier than later. I do not think there is any huge outstanding work, but just testing and possible small fixes if something will not work well.

@Jakuje
Copy link
Member

Jakuje commented Oct 11, 2022

@OpenSC/maintainers Just published the rc1 release: https://github.com/OpenSC/OpenSC/releases/tag/0.23.0-rc1 and would be glad for testing.

@frankmorgner For some reason, it looks like the macos builds are not propagated to the artifacts repo and the push_artifacts step of CI is not doing anything for me so we don't have the macos binaries. I can probably pull them from the CI artifacts, but in any case, this is something we need either to update instructions or fix the pipelines ... it looks like there is missing the GH_TOKEN. Not sure if only for me or for anyone else too.

@Jakuje Jakuje mentioned this issue Oct 12, 2022
Merged
5 tasks
@dengert
Copy link
Member Author

dengert commented Oct 12, 2022

https://github.com/OpenSC/Nightly/tree/2022-10-11_a3b5f8d0

When downloaded to Windows 11, OpenSC-0.23.0-rc1_win64. msi is only 211 KB, but previous 0.22.0 builds are more like 16,501 KB and attempt to install says: "This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows installer package"

The OpenSC-0.22.0_win64.msi is also 211 KB. But since a3b5f8d changes version numbers, OpenSC-0.22.0_win64.msi does not make any sense as the source is now 0.23.0-rc1.

Looks like a version number needs to be changed in more places. But I don't see where.

win32 versions have the same issue.

@Jakuje
Copy link
Member

Jakuje commented Oct 12, 2022

@dengert oh, the 0.22.0 builds are from the CI invoked by the push, while the 0.23.0 are from the tag. I copied to https://github.com/OpenSC/OpenSC/releases/tag/0.23.0-rc1 the old ones, even though the code should be really the same. Let me fix that.

When I download the files from https://github.com/OpenSC/Nightly/archive/2022-10-11_a3b5f8d0.zip I got much larger files -- how did you download them?

@dengert
Copy link
Member Author

dengert commented Oct 12, 2022

I went to https://github.com/OpenSC/Nightly/tree/2022-10-11_a3b5f8d0 at 7:10 AM (GMT-5) and downloaded: https://github.com/OpenSC/Nightly/blob/2022-10-11_a3b5f8d0/OpenSC-0.23.0-rc1_win64.msi which was 211 KB.

Now at 10:13 AM I downloaded the same file and it is 16,339 KB. I must have caught it while it was being updated?

That matches what is in the zip file, and it installs.

@frankmorgner
Copy link
Member

I think the confusion about the file naming is caused by using a lightweight tag for the RC. The Release Howto explaines to use git tag -a ... for the final release to avoid this problem. I think for last RCs we manually pulled the correct files from CI, because we wanted git describe to show the last official release...

@frankmorgner
Copy link
Member

for macos, the installer is available for download in this job https://github.com/OpenSC/OpenSC/actions/runs/3226517878

@Jakuje
Copy link
Member

Jakuje commented Oct 13, 2022

for macos, the installer is available for download in this job https://github.com/OpenSC/OpenSC/actions/runs/3226517878

Thanks. I was not sure if it was supposed to work this way or not. Just pulled the dmg from the tarball and attached it to the release. But it is missing the -rc1 suffix so I will try the next time with the annotated tag. I probably wrongly though that this was needed only for the final release.

@Jakuje
Copy link
Member

Jakuje commented Oct 14, 2022

FYI, the wiki is now open for anyone to edit. I already filled my test results in https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing#opensc-0230 and would appreciate others to fill their results too (especially windows and mac installers, but also other cards).

@dengert
Copy link
Member Author

dengert commented Oct 17, 2022

The windows install/uninstall was tested on Windows 11. Before the install, any previous OpenSC packages where uninstalled.

NIST "Beta Test Cards" (from 2010) were used to test the minidriver.

  • Card 1 is a GemAlto "PIV 1.5.5 DLv1" with RSA 2048 keys
  • Card 5 is a Oberthur ID-One PIV with EC p-256 authentication keys and EC p-384 for signature and key management keys.

Commands used to list and/or test include:

  • certutil -v -SCinfo (which appears to try and test any certificates listed in user MY store that are from smartcards)
  • certutil -store -user MY (To list all the certificates in user's MY store)
  • certutil -v -store -user MY ID (To test a specific certificate, where ID is the certificate number from previous command. Windows will request the smart card be inserted. ID can be other fields. See: certutil -store -?)
  • control panel->Internet Options->Content->Certificates->Personal (list certs in "MY")
  • mmc (as user) with the snap-in for Certificates for "My user account"
  • mmc (as admin) with the snap-in for Certificates for other stores.

The main changes to minidriver were from #2523. People provided suggested fixes, but no one reported testing the PR with other cards with ECC keys. I would hope vendors such as @CardContact would test this with their devices with EC keys.

To test with PIV cards:

  • I imported the registry entries listed at the end below.

  • I found an issue with "user-consent" when using PIV signature certificate. So added pin_cache_ignore_user_consent = true; to opensc.cnf for 64 and 32 bit. This may apply to other cards as well.

app cardmod {
	framework pkcs15 {
		# use_file_caching = public;
		pin_cache_ignore_user_consent = true;
	}
  • P:8364; T:1500 2022-10-15 07:55:11.867 [cardmod] No ECC key found (keyspec=3) would show up in output of certutil -v -store -user MY 0 with an all EC key card. This maybe it is looking for private keys before prompting for PIN. The test did end with "Signature test passed". Further investigation is needed.

Notes:

  • To use ECC keys, Minidriver fixes for ECC keys #2523 modified the card-piv.c to add the curveName OID to calls to _sc_card_add_ec_alg but only for PIV. This may be needed by other drivers. (No one reported any problems with other cards, but no one reported testing Minidriver fixes for ECC keys #2523 either.)
  • OpenSC registry entries for minidriver are not added automatically for PIV cards. Most (if not all) card vendors provide their own minidrivers and support "Plug-and-Play" See: https://learn.microsoft.com/en-us/windows-hardware/drivers/smartcard/discovery-process Thus for most cards the OpenSC minidriver is not needed. Where the OpenSC minidriver may still be needed is when users load an applet on to some token or the vendor is depending on OpenSC for the minidriver.
  • Microsoft also provides a builtin PIV minidriver which uses SELECT AID command to test if card is PIV. But as best I can tell the built in PIV support does not support ECC keys. But as noted above most (if not all) PIV card vendors provide "Plug-and-Play".
  • Windows fetched intermediate CA certificates and added them to "MY" store. In real situations these should be moved to intermediate CA store and the Trusted stores (after verifying if these are correct or not.)

Registry entries for the two types of cards. The cards used may be different in other sets of "Beta" or "Demo" cards. In my set, two were Gemalto, the rest Oberthur ID-One PIV.
Use these as examples. "OpenSC-Comment" is not used by any code, but added as a comment with my initials DEE. The name of the registry entry will show up in some popup windows to insert a specific type of card. And maybe used to verify the correct card is inserted.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\NIST DEMO GemAlto 1.5.5 test cards]
    "ATR"=hex:3b,7d,96,00,00,80,31,80,65,b0,83,11,17,d6,83,00,90,00
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"OpenSC-Comment"="modified to use OpenSC CSP DEE"
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="C:\\Program Files\\OpenSC Project\\OpenSC\\minidriver\\opensc-minidriver.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\SmartCards\NIST DEMO GemAlto 1.5.5 test cards]
    "ATR"=hex:3b,7d,96,00,00,80,31,80,65,b0,83,11,17,d6,83,00,90,00
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"OpenSC-Comment"="modified to use OpenSC CSP DEE"
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="C:\\Program Files (x86)\\OpenSC Project\\OpenSC\\minidriver\\opensc-minidriver.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\NIST DEMO Oberthur test cards]
    "ATR"=hex:3b,df,96,00,81,b1,fe,45,1f,83,80,73,cc,91,cb,f9,a0,00,00,03,08,00,00,10,00,79
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"OpenSC-Comment"="modified to use OpenSC CSP DEE"
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="C:\\Program Files\\OpenSC Project\\OpenSC\\minidriver\\opensc-minidriver.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\SmartCards\NIST DEMO Oberthur test cards]
    "ATR"=hex:3b,df,96,00,81,b1,fe,45,1f,83,80,73,cc,91,cb,f9,a0,00,00,03,08,00,00,10,00,79
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"OpenSC-Comment"="modified to use OpenSC CSP DEE"
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="C:\\Program Files (x86)\\OpenSC Project\\OpenSC\\minidriver\\opensc-minidriver.dll"

pkcs11-tool -O and pkcs11-tool --test --login both work as expected.

@dengert dengert mentioned this issue Oct 17, 2022
Closed
@Jakuje
Copy link
Member

Jakuje commented Nov 9, 2022

@dengert I read that it works ok for you. Can you update the release testing wiki page on https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing#opensc-0230

I did another RC today. Anyone who would like to test or provide a feedback is welcomed to do so. I would like to fix remaining fuzzing issues and do the release in coming weeks (rather earlier than later).

https://github.com/OpenSC/OpenSC/releases/tag/0.23.0-rc2

@dengert
Copy link
Member Author

dengert commented Nov 13, 2022

@dengert I read that it works ok for you. Can you update the release testing wiki page on https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing#opensc-0230
Done for -.23.0-rc1.

@Jakuje
Copy link
Member

Jakuje commented Nov 22, 2022

Thanks. If there will be no other feedback, testing and comments nor objections, I would like to cut off and build the final release this week.

@Jakuje Jakuje pinned this issue Nov 22, 2022
@Jakuje
Copy link
Member

Jakuje commented Nov 29, 2022

The new version was released today. Thanks everyone for the contributions, testing and reporting issues!

https://github.com/OpenSC/OpenSC/releases/tag/0.23.0

@Jakuje Jakuje closed this as completed Nov 29, 2022
Release 0.23.0 automation moved this from To do to Done Nov 29, 2022
@Jakuje Jakuje unpinned this issue Nov 29, 2022
@dengert dengert mentioned this issue Nov 30, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Release 0.23.0
Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dengert @frankmorgner @Jakuje @dlegaultbbry @xhanulik