Merging so that Alex doesn't break me on the wheel like the OpenSSL 1…

….0.2u users (resolving historical discrepancies within my branch; custodial merge-commit-push)
pyca · Oct 6, 2020 · dc9cde7 · dc9cde7
2 parents 07b8132 + cd6f6b0
commit dc9cde7
Show file tree

Hide file tree

Showing 85 changed files with 1,668 additions and 566 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,11 +18,12 @@ jobs:
           - {VERSION: "2.7", TOXENV: "py27", EXTRA_CFLAGS: ""}
           - {VERSION: "3.5", TOXENV: "py35", EXTRA_CFLAGS: ""}
           - {VERSION: "3.8", TOXENV: "py38", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"}
+          - {VERSION: "3.9.0-rc.1", TOXENV: "py39"}
     name: "Python ${{ matrix.PYTHON.VERSION }} on macOS"
     steps:
       - uses: actions/checkout@master
       - name: Setup python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v2
         with:
           python-version: ${{ matrix.PYTHON.VERSION }}
 
@@ -63,11 +64,12 @@ jobs:
           - {VERSION: "3.6", TOXENV: "py36", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.7", TOXENV: "py37", MSVC_VERSION: "2019", CL_FLAGS: ""}
           - {VERSION: "3.8", TOXENV: "py38", MSVC_VERSION: "2019", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"}
+          - {VERSION: "3.9.0-rc.1", TOXENV: "py39", MSVC_VERSION: "2019", CL_FLAGS: ""}
     name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}"
     steps:
       - uses: actions/checkout@master
       - name: Setup python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v2
         with:
           python-version: ${{ matrix.PYTHON.VERSION }}
           architecture: ${{ matrix.WINDOWS.ARCH }}
@@ -83,11 +85,12 @@ jobs:
       - name: Download OpenSSL
         run: |
             python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}
-            echo "::set-env name=INCLUDE::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;%INCLUDE%"
-            echo "::set-env name=LIB::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;%LIB%"
-            echo "::set-env name=CL::${{ matrix.PYTHON.CL_FLAGS }}"
+            echo "INCLUDE=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;$INCLUDE" >> $GITHUB_ENV
+            echo "LIB=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;$LIB" >> $GITHUB_ENV
+            echo "CL=${{ matrix.PYTHON.CL_FLAGS }}" >> $GITHUB_ENV
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
       - run: git clone https://github.com/google/wycheproof
 
       - run: tox -r -- --color=yes --wycheproof-root=wycheproof

diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml
@@ -139,10 +139,11 @@ jobs:
       - name: Download OpenSSL
         run: |
             python .github/workflows/download_openssl.py windows openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}
-            echo "::set-env name=INCLUDE::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;%INCLUDE%"
-            echo "::set-env name=LIB::C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;%LIB%"
+            echo "INCLUDE=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/include;$INCLUDE" >> $GITHUB_ENV
+            echo "LIB=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.MSVC_VERSION }}/lib;$LIB" >> $GITHUB_ENV
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
 
       - run: python -m pip install -U pip wheel cffi six ipaddress "enum34; python_version < '3'"
       - run: pip download cryptography==${{ github.event.inputs.version }} --no-deps --no-binary cryptography && tar zxvf cryptography*.tar.gz && mkdir wheelhouse

diff --git a/.travis.yml b/.travis.yml
@@ -23,6 +23,8 @@ matrix:
         # Setting 'python' is just to make travis's UI a bit prettier
         - python: 3.6
           env: TOXENV=py36
+        - python: 3.9-dev
+          env: TOXENV=py39
           # Travis lists available Pythons (including PyPy) by arch and distro here:
           # https://docs.travis-ci.com/user/languages/python/#python-versions
         - python: pypy2.7-7.3.1
@@ -38,21 +40,21 @@ matrix:
         - python: 3.8
           env: TOXENV=py38 OPENSSL=1.1.0l
         - python: 2.7
-          env: TOXENV=py27 OPENSSL=1.1.1g
+          env: TOXENV=py27 OPENSSL=1.1.1h
         - python: 3.8
-          env: TOXENV=py38 OPENSSL=1.1.1g
+          env: TOXENV=py38 OPENSSL=1.1.1h
         - python: 3.8
-          env: TOXENV=py38 OPENSSL=1.1.1g OPENSSL_CONFIG_FLAGS="no-engine no-rc2 no-srtp no-ct"
+          env: TOXENV=py38 OPENSSL=1.1.1h OPENSSL_CONFIG_FLAGS="no-engine no-rc2 no-srtp no-ct"
         - python: 3.8
-          env: TOXENV=py38-ssh OPENSSL=1.1.1g
+          env: TOXENV=py38-ssh OPENSSL=1.1.1h
         - python: 3.8
           env: TOXENV=py38 LIBRESSL=2.9.2
         - python: 3.8
           env: TOXENV=py38 LIBRESSL=3.0.2
         - python: 3.8
-          env: TOXENV=py38 LIBRESSL=3.1.3
+          env: TOXENV=py38 LIBRESSL=3.1.4
         - python: 3.8
-          env: TOXENV=py38 LIBRESSL=3.2.0
+          env: TOXENV=py38 LIBRESSL=3.2.1
 
         - python: 2.7
           services: docker
@@ -104,7 +106,7 @@ matrix:
           env: TOXENV=py38 DOCKER=pyca/cryptography-runner-alpine:latest
 
         - python: 3.8
-          env: TOXENV=docs OPENSSL=1.1.1g
+          env: TOXENV=docs OPENSSL=1.1.1h
           addons:
               apt:
                   packages:
@@ -117,11 +119,9 @@ matrix:
         - python: 3.8
           env: DOWNSTREAM=pyopenssl
         - python: 3.7
-          env: DOWNSTREAM=twisted OPENSSL=1.1.1g
-        # Temporary disabled until
-        # https://github.com/paramiko/paramiko/pull/1723 is merged
-        # - python: 2.7
-        #   env: DOWNSTREAM=paramiko
+          env: DOWNSTREAM=twisted OPENSSL=1.1.1h
+        - python: 3.7
+          env: DOWNSTREAM=paramiko
         - python: 3.7
           env: DOWNSTREAM=aws-encryption-sdk
         - python: 3.7
@@ -132,10 +132,6 @@ matrix:
           env: DOWNSTREAM=certbot
         - python: 3.8
           env: DOWNSTREAM=certbot-josepy
-        - python: 3.8
-          env: DOWNSTREAM=urllib3
-          # Tests hang when run under bionic/focal
-          dist: xenial
 
 install:
     - ./.travis/install.sh

diff --git a/.travis/downstream.d/urllib3.sh b/.travis/downstream.d/urllib3.sh
diff --git a/.zuul.d/jobs.yaml b/.zuul.d/jobs.yaml
@@ -2,7 +2,7 @@
     name: pyca-cryptography-base
     abstract: true
     description: Run pyca/cryptography unit testing
-    run: .zuul.playbooks/playbooks/main.yaml
+    run: .zuul.playbooks/playbooks/tox/main.yaml
 
 - job:
     name: pyca-cryptography-ubuntu-focal-py38-arm64
@@ -31,3 +31,38 @@
     nodeset: centos-8-arm64
     vars:
       tox_envlist: py27
+
+- job:
+    name: pyca-cryptography-build-wheel
+    abstract: true
+    run: .zuul.playbooks/playbooks/wheel/main.yaml
+
+- job:
+    name: pyca-cryptography-build-wheel-arm64
+    parent: pyca-cryptography-build-wheel
+    nodeset: ubuntu-bionic-arm64
+    vars:
+      wheel_builds:
+        - platform: manylinux2014_aarch64
+          image: pyca/cryptography-manylinux2014_aarch64
+          pythons:
+            - cp35-cp35m
+
+- job:
+    name: pyca-cryptography-build-wheel-x86_64
+    parent: pyca-cryptography-build-wheel
+    nodeset: ubuntu-bionic
+    vars:
+      wheel_builds:
+        - platform: manylinux1_x86_64
+          image: pyca/cryptography-manylinux1:x86_64
+          pythons:
+            - cp27-cp27m
+            - cp27-cp27mu
+            - cp35-cp35m
+        - platform: manylinux2010_x86_64
+          image: pyca/cryptography-manylinux2010:x86_64
+          pythons:
+            - cp27-cp27m
+            - cp27-cp27mu
+            - cp35-cp35m
diff --git a/.zuul.d/project.yaml b/.zuul.d/project.yaml
@@ -1,7 +1,13 @@
 - project:
     check:
       jobs:
+        - pyca-cryptography-build-wheel-arm64
+        - pyca-cryptography-build-wheel-x86_64
         - pyca-cryptography-ubuntu-focal-py38-arm64
         - pyca-cryptography-ubuntu-bionic-py36-arm64
         - pyca-cryptography-centos-8-py36-arm64
         - pyca-cryptography-centos-8-py27-arm64
+    release:
+      jobs:
+        - pyca-cryptography-build-wheel-arm64
+        - pyca-cryptography-build-wheel-x86_64
diff --git a/.zuul.playbooks/playbooks/main.yaml → .zuul.playbooks/playbooks/tox/main.yaml b/.zuul.playbooks/playbooks/main.yaml → .zuul.playbooks/playbooks/tox/main.yaml
diff --git a/.zuul.playbooks/playbooks/wheel/main.yaml b/.zuul.playbooks/playbooks/wheel/main.yaml
@@ -0,0 +1,6 @@
+- hosts: all
+  tasks:
+
+    - name: Build wheel
+      include_role:
+        name: build-wheel-manylinux
diff --git a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst b/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst
@@ -0,0 +1 @@
+Build manylinux wheels for cryptography
diff --git a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh b/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh
@@ -0,0 +1,51 @@
+#!/bin/bash -ex
+
+# Compile wheels
+cd /io
+
+mkdir -p wheelhouse.final
+
+for P in ${PYTHONS}; do
+
+    PYBIN=/opt/python/${P}/bin
+
+    "${PYBIN}"/python -m virtualenv .venv
+
+    .venv/bin/pip install cffi six ipaddress "enum34; python_version < '3'"
+
+    REGEX="cp3([0-9])*"
+    if [[ "${PYBIN}" =~ $REGEX ]]; then
+        PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}"
+    fi
+
+    LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \
+           CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
+           .venv/bin/python setup.py bdist_wheel $PY_LIMITED_API
+
+    auditwheel repair --plat ${PLAT} -w wheelhouse/ dist/cryptography*.whl
+
+    # Sanity checks
+    # NOTE(ianw) : no execstack on aarch64, comes from
+    # prelink, which was never supported.  CentOS 8 does
+    # have it separate, skip for now.
+    if [[ "${PLAT}" != "manylinux2014_aarch64" ]]; then
+        for f in wheelhouse/*.whl; do
+            unzip $f -d execstack.check
+
+            results=$(execstack execstack.check/cryptography/hazmat/bindings/*.so)
+            count=$(echo "$results" | grep -c '^X' || true)
+            if [ "$count" -ne 0 ]; then
+                exit 1
+            fi
+            rm -rf execstack.check
+        done
+    fi
+
+    .venv/bin/pip install cryptography --no-index -f wheelhouse/
+    .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
+
+    # Cleanup
+    mv wheelhouse/* wheelhouse.final
+    rm -rf .venv dist wheelhouse
+
+done