Commit 5e488cb4f1 for openssl.org
commit 5e488cb4f158a40a7efe9401ab0ffa652b7dbac1
Author: Dmitry Misharov <dmitry@openssl.org>
Date: Wed Jun 3 13:12:36 2026 +0200
ci: Verify jom/NASM downloads and fall back to upstream on forks
Move the OpenSSL-hosted jom and NASM downloads under the /ci-deps/
path and verify them against SHA256 sums recorded in
.github/ci-deps.json before installing. Forks, which can't reach the
mirror reliably, download from the upstream Qt and NASM locations
instead.
Affected workflows: windows.yml, windows_comp.yml, os-zoo.yml
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Thu Jun 11 16:17:03 2026
(Merged from https://github.com/openssl/openssl/pull/30957)
diff --git a/.github/ci-deps.json b/.github/ci-deps.json
new file mode 100644
index 0000000000..f075460ff0
--- /dev/null
+++ b/.github/ci-deps.json
@@ -0,0 +1,5 @@
+{
+ "jom-1.1.7.exe": "8435dbf96eb9ee65395d46d04dc3af2ff6b2618aefbc7964eeede9be669e8bd6",
+ "nasm-3.01-installer-x64.exe": "7881e9febc8b6558581041019b7890f109bef0694d93ed82c9589794c7b5a600",
+ "nasm-3.01-installer-x86.exe": "2e3041dd2abe36cb7e9938057c3cf090dd2eac42d3280957359f87c4d83b9ed0"
+}
diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml
index 806d5568a5..eff3bff58f 100644
--- a/.github/workflows/os-zoo.yml
+++ b/.github/workflows/os-zoo.yml
@@ -151,13 +151,20 @@ jobs:
run: git submodule update --init --depth 1 fuzz/corpora
- name: install nasm
run: |
- Invoke-WebRequest -Uri "https://openssl-library.org/nasm-3.01-installer-x64.exe" -OutFile nasm-installer.exe
- Start-Process -FilePath .\nasm-installer.exe -ArgumentList '/S' -Wait
+ $installer = "nasm-3.01-installer-x64.exe"
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/$installer" -OutFile $installer
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).$installer
+ $actual = (Get-FileHash $installer -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for $installer (expected $expected, got $actual)" }
+ Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
"C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: install jom
run: |
mkdir C:\jom
- Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+ $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
"C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: prepare the build directory
run: mkdir _build
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 68f9bfdd6b..22222e609a 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -38,14 +38,37 @@ jobs:
- name: checkout fuzz/corpora submodule
run: git submodule update --init --depth 1 fuzz/corpora
- name: install nasm
+ if: github.repository == 'openssl/openssl'
run: |
- Invoke-WebRequest -Uri "https://openssl-library.org/nasm-3.01-installer-${{ matrix.platform.arch == 'x86' && 'x86' || 'x64' }}.exe" -OutFile nasm-installer.exe
- Start-Process -FilePath .\nasm-installer.exe -ArgumentList '/S' -Wait
+ $installer = "nasm-3.01-installer-${{ matrix.platform.arch == 'x86' && 'x86' || 'x64' }}.exe"
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/$installer" -OutFile $installer
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).$installer
+ $actual = (Get-FileHash $installer -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for $installer (expected $expected, got $actual)" }
+ Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
+ "C:\Program Files${{ matrix.platform.arch == 'x86' && ' (x86)' || '' }}\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+ - name: install nasm (forks)
+ if: github.repository != 'openssl/openssl'
+ run: |
+ $installer = "nasm-3.01-installer-${{ matrix.platform.arch == 'x86' && 'x86' || 'x64' }}.exe"
+ Invoke-WebRequest -Uri "https://www.nasm.us/pub/nasm/releasebuilds/3.01/win${{ matrix.platform.arch == 'x86' && '32' || '64' }}/$installer" -OutFile $installer
+ Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
"C:\Program Files${{ matrix.platform.arch == 'x86' && ' (x86)' || '' }}\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: install jom
+ if: github.repository == 'openssl/openssl'
+ run: |
+ mkdir C:\jom
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+ $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+ "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+ - name: install jom (forks)
+ if: github.repository != 'openssl/openssl'
run: |
mkdir C:\jom
- Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+ Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
"C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: prepare the build directory
run: mkdir _build
@@ -121,9 +144,20 @@ jobs:
- name: prepare the build directory
run: mkdir _build
- name: install jom
+ if: github.repository == 'openssl/openssl'
run: |
mkdir C:\jom
- Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+ $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+ "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+ - name: install jom (forks)
+ if: github.repository != 'openssl/openssl'
+ run: |
+ mkdir C:\jom
+ Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+ Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
"C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: config
working-directory: _build
@@ -167,9 +201,20 @@ jobs:
- name: prepare the build directory
run: mkdir _build
- name: install jom
+ if: github.repository == 'openssl/openssl'
+ run: |
+ mkdir C:\jom
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+ $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+ "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+ - name: install jom (forks)
+ if: github.repository != 'openssl/openssl'
run: |
mkdir C:\jom
- Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+ Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
"C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: config
working-directory: _build
diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml
index df852b30e5..f89324e4b1 100644
--- a/.github/workflows/windows_comp.yml
+++ b/.github/workflows/windows_comp.yml
@@ -29,14 +29,37 @@ jobs:
- name: checkout fuzz/corpora submodule
run: git submodule update --init --depth 1 fuzz/corpora
- name: install nasm
+ if: github.repository == 'openssl/openssl'
+ run: |
+ $installer = "nasm-3.01-installer-x64.exe"
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/$installer" -OutFile $installer
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).$installer
+ $actual = (Get-FileHash $installer -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for $installer (expected $expected, got $actual)" }
+ Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
+ "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+ - name: install nasm (forks)
+ if: github.repository != 'openssl/openssl'
run: |
- Invoke-WebRequest -Uri "https://openssl-library.org/nasm-3.01-installer-x64.exe" -OutFile nasm-installer.exe
- Start-Process -FilePath .\nasm-installer.exe -ArgumentList '/S' -Wait
+ $installer = "nasm-3.01-installer-x64.exe"
+ Invoke-WebRequest -Uri "https://www.nasm.us/pub/nasm/releasebuilds/3.01/win64/$installer" -OutFile $installer
+ Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
"C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: install jom
+ if: github.repository == 'openssl/openssl'
+ run: |
+ mkdir C:\jom
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+ $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+ "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+ - name: install jom (forks)
+ if: github.repository != 'openssl/openssl'
run: |
mkdir C:\jom
- Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+ Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
"C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: prepare the build directory
run: mkdir _build
@@ -98,14 +121,37 @@ jobs:
- name: checkout fuzz/corpora submodule
run: git submodule update --init --depth 1 fuzz/corpora
- name: install nasm
+ if: github.repository == 'openssl/openssl'
+ run: |
+ $installer = "nasm-3.01-installer-x64.exe"
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/$installer" -OutFile $installer
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).$installer
+ $actual = (Get-FileHash $installer -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for $installer (expected $expected, got $actual)" }
+ Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
+ "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+ - name: install nasm (forks)
+ if: github.repository != 'openssl/openssl'
run: |
- Invoke-WebRequest -Uri "https://openssl-library.org/nasm-3.01-installer-x64.exe" -OutFile nasm-installer.exe
- Start-Process -FilePath .\nasm-installer.exe -ArgumentList '/S' -Wait
+ $installer = "nasm-3.01-installer-x64.exe"
+ Invoke-WebRequest -Uri "https://www.nasm.us/pub/nasm/releasebuilds/3.01/win64/$installer" -OutFile $installer
+ Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
"C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: install jom
+ if: github.repository == 'openssl/openssl'
+ run: |
+ mkdir C:\jom
+ Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+ $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+ if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+ "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+ - name: install jom (forks)
+ if: github.repository != 'openssl/openssl'
run: |
mkdir C:\jom
- Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+ Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+ Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
"C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
- name: prepare the build directory
run: mkdir _build