From e1dacbcea8f9619dcca3bf723fa740051b8a3e82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gon=C3=A7alo=20Garcia?= Date: Thu, 9 Oct 2025 13:18:29 +0000 Subject: [PATCH 1/4] chore: Force usage of go-boring 1.24 * chore: Force usage of go-boring 1.24 --- .ci/linux.gitlab-ci.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.ci/linux.gitlab-ci.yml b/.ci/linux.gitlab-ci.yml index e1104145..d2b3e01b 100644 --- a/.ci/linux.gitlab-ci.yml +++ b/.ci/linux.gitlab-ci.yml @@ -16,6 +16,7 @@ include: <<: *golang_inputs jobPrefix: linux-build GOLANG_MAKE_TARGET: ci-build + imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a" ######################## ### Linux FIPS Build ### @@ -25,6 +26,8 @@ include: <<: *golang_inputs jobPrefix: linux-fips-build GOLANG_MAKE_TARGET: ci-fips-build + imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a" + ################# ### Unit Tests ## @@ -35,6 +38,8 @@ include: stage: test jobPrefix: test GOLANG_MAKE_TARGET: ci-test + imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a" + ###################### ### Unit Tests FIPS ## @@ -45,6 +50,8 @@ include: stage: test jobPrefix: test-fips GOLANG_MAKE_TARGET: ci-fips-test + imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a" + ################# ### Vuln Check ## @@ -56,6 +63,8 @@ include: stage: validate jobPrefix: vulncheck GOLANG_MAKE_TARGET: vulncheck + imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a" + ################################# ### Run Linux Component Tests ### From 7987d01a6ee1b51c50ceb92a1679c536d79af7a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gon=C3=A7alo=20Garcia?= Date: Fri, 10 Oct 2025 07:58:55 +0000 Subject: [PATCH 2/4] chore: Fix import of GPG keys when two keys are provided * chore: Fix import of GPG keys when two keys are provided We were only retrieving the first output of gpg.list keys because previously we were only running import_gpg_keys once. Now that we run it twice we need to ensure that the key we select from the list matches the one we've imported. --- release_pkgs.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/release_pkgs.py b/release_pkgs.py index 0045eb57..075a826a 100644 --- a/release_pkgs.py +++ b/release_pkgs.py @@ -189,11 +189,22 @@ class PkgCreator: def import_gpg_keys(self, private_key, public_key): gpg = gnupg.GPG() private_key = base64.b64decode(private_key) - gpg.import_keys(private_key) + import_result = gpg.import_keys(private_key) + if not import_result.fingerprints: + raise Exception("Failed to import private key") + public_key = base64.b64decode(public_key) gpg.import_keys(public_key) + + imported_fingerprint = import_result.fingerprints[0] data = gpg.list_keys(secret=True) - return (data[0]["fingerprint"], data[0]["uids"][0]) + + # Find the specific key we just imported by comparing fingerprints + for key in data: + if key["fingerprint"] == imported_fingerprint: + return (key["fingerprint"], key["uids"][0]) + + raise Exception(f"Could not find imported key with fingerprint {imported_fingerprint}") def import_multiple_gpg_keys(self, primary_private_key, primary_public_key, secondary_private_key=None, secondary_public_key=None): """ From d78e64c8cc2ab6337b5f3ed6181363de62342141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gon=C3=A7alo=20Garcia?= Date: Fri, 10 Oct 2025 15:44:28 +0000 Subject: [PATCH 3/4] chore: Fix parameter order when uploading RPM .repo file to R2 * chore: Fix parameter order when uploading RPM .repo file to R2 --- release_pkgs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_pkgs.py b/release_pkgs.py index 075a826a..56acf699 100644 --- a/release_pkgs.py +++ b/release_pkgs.py @@ -322,7 +322,7 @@ def create_rpm_packaging( repo_file = pkg_creator.create_repo_file(artifacts_path, binary_name, base_url, gpg_key_url) print("Uploading repo file") - pkg_uploader.upload_pkg_to_r2(repo_file, binary_name + "repo") + pkg_uploader.upload_pkg_to_r2(binary_name + "repo", repo_file) print("uploading latest to r2...") upload_from_directories(pkg_uploader, "rpm", None, binary_name) From 1ac6c45dad4e338bd948d8b87f325c2ca2940e13 Mon Sep 17 00:00:00 2001 From: Devin Carr Date: Fri, 10 Oct 2025 13:55:31 -0700 Subject: [PATCH 4/4] TUN-9883: Add new datagram v3 feature flag After the previous rollout was reverted, the original `support_datagram_v3_1` is deprecated and replaced with `support_datagram_v3_2`. Closes TUN-9883 --- client/config_test.go | 2 +- features/features.go | 8 +++++--- features/selector.go | 5 +++-- features/selector_test.go | 20 +++++++++++++------- 4 files changed, 22 insertions(+), 13 deletions(-) diff --git a/client/config_test.go b/client/config_test.go index 5fe4e7c1..77923fb3 100644 --- a/client/config_test.go +++ b/client/config_test.go @@ -45,6 +45,6 @@ func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot { return features.FeatureSnapshot{ PostQuantum: features.PostQuantumPrefer, DatagramVersion: features.DatagramV3, - FeaturesList: []string{features.FeaturePostQuantum, features.FeatureDatagramV3_1}, + FeaturesList: []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2}, } } diff --git a/features/features.go b/features/features.go index 2c7e6850..83a34a7f 100644 --- a/features/features.go +++ b/features/features.go @@ -10,9 +10,10 @@ const ( FeaturePostQuantum = "postquantum" FeatureQUICSupportEOF = "support_quic_eof" FeatureManagementLogs = "management_logs" - FeatureDatagramV3_1 = "support_datagram_v3_1" + FeatureDatagramV3_2 = "support_datagram_v3_2" - DeprecatedFeatureDatagramV3 = "support_datagram_v3" // Deprecated: TUN-9291 + DeprecatedFeatureDatagramV3 = "support_datagram_v3" // Deprecated: TUN-9291 + DeprecatedFeatureDatagramV3_1 = "support_datagram_v3_1" // Deprecated: TUN-9883 ) var defaultFeatures = []string{ @@ -26,6 +27,7 @@ var defaultFeatures = []string{ // List of features that are no longer in-use. var deprecatedFeatures = []string{ DeprecatedFeatureDatagramV3, + DeprecatedFeatureDatagramV3_1, } // Features set by user provided flags @@ -58,7 +60,7 @@ const ( // DatagramV2 is the currently supported datagram protocol for UDP and ICMP packets DatagramV2 DatagramVersion = FeatureDatagramV2 // DatagramV3 is a new datagram protocol for UDP and ICMP packets. It is not backwards compatible with datagram v2. - DatagramV3 DatagramVersion = FeatureDatagramV3_1 + DatagramV3 DatagramVersion = FeatureDatagramV3_2 ) // Remove any duplicate features from the list and remove deprecated features diff --git a/features/selector.go b/features/selector.go index 38cc43b4..d76276e8 100644 --- a/features/selector.go +++ b/features/selector.go @@ -23,9 +23,10 @@ const ( // If the TXT record is missing a key, the field will unmarshal to the default Go value type featuresRecord struct { - DatagramV3Percentage uint32 `json:"dv3_1"` + DatagramV3Percentage uint32 `json:"dv3_2"` // DatagramV3Percentage int32 `json:"dv3"` // Removed in TUN-9291 + // DatagramV3Percentage uint32 `json:"dv3_1"` // Removed in TUN-9883 // PostQuantumPercentage int32 `json:"pq"` // Removed in TUN-7970 } @@ -105,7 +106,7 @@ func (fs *featureSelector) postQuantumMode() PostQuantumMode { func (fs *featureSelector) datagramVersion() DatagramVersion { // If user provides the feature via the cli, we take it as priority over remote feature evaluation - if slices.Contains(fs.cliFeatures, FeatureDatagramV3_1) { + if slices.Contains(fs.cliFeatures, FeatureDatagramV3_2) { return DatagramV3 } // If the user specifies DatagramV2, we also take that over remote diff --git a/features/selector_test.go b/features/selector_test.go index 511aebe6..d68e6ec9 100644 --- a/features/selector_test.go +++ b/features/selector_test.go @@ -22,15 +22,15 @@ func TestUnmarshalFeaturesRecord(t *testing.T) { expectedPercentage uint32 }{ { - record: []byte(`{"dv3_1":0}`), + record: []byte(`{"dv3_2":0}`), expectedPercentage: 0, }, { - record: []byte(`{"dv3_1":39}`), + record: []byte(`{"dv3_2":39}`), expectedPercentage: 39, }, { - record: []byte(`{"dv3_1":100}`), + record: []byte(`{"dv3_2":100}`), expectedPercentage: 100, }, { @@ -40,7 +40,7 @@ func TestUnmarshalFeaturesRecord(t *testing.T) { record: []byte(`{"kyber":768}`), // Unmarshal to default struct if key is not present }, { - record: []byte(`{"pq": 101,"dv3":100}`), // Expired keys don't unmarshal to anything + record: []byte(`{"pq": 101,"dv3":100,"dv3_1":100}`), // Expired keys don't unmarshal to anything }, } @@ -111,10 +111,10 @@ func TestFeaturePrecedenceEvaluationDatagramVersion(t *testing.T) { }, { name: "user_specified_v3", - cli: []string{FeatureDatagramV3_1}, + cli: []string{FeatureDatagramV3_2}, remote: featuresRecord{}, - expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_1)), - expectedVersion: FeatureDatagramV3_1, + expectedFeatures: dedupAndRemoveFeatures(append(defaultFeatures, FeatureDatagramV3_2)), + expectedVersion: FeatureDatagramV3_2, }, } @@ -150,6 +150,12 @@ func TestDeprecatedFeaturesRemoved(t *testing.T) { remote: featuresRecord{}, expectedFeatures: defaultFeatures, }, + { + name: "support_datagram_v3_1", + cli: []string{DeprecatedFeatureDatagramV3_1}, + remote: featuresRecord{}, + expectedFeatures: defaultFeatures, + }, } for _, test := range tests {