From 6b2852ce491de2b81f76b930f7b310039f1b37b7 Mon Sep 17 00:00:00 2001 From: Siegfried Pammer Date: Thu, 2 Jul 2026 12:06:36 +0200 Subject: [PATCH] Set OpenSSL SHA1 flag in build scripts Local OpenSSL defaults can reject legacy SHA-1 signatures during dotnet operations. Set the required compatibility flag inside the repository scripts so restore, build, publish, clean, and formatting paths do not depend on each caller's shell environment. Assisted-by: OpenCode:openai/gpt-5.5:OpenCode --- BuildTools/format.ps1 | 1 + BuildTools/pre-commit | 1 + build.ps1 | 1 + clean.ps1 | 1 + publish.ps1 | 1 + publishlocaldev.ps1 | 5 ++++- restore.ps1 | 1 + updatedeps.ps1 | 1 + 8 files changed, 11 insertions(+), 1 deletion(-) diff --git a/BuildTools/format.ps1 b/BuildTools/format.ps1 index c0f6bb9d2..0a810d4d0 100644 --- a/BuildTools/format.ps1 +++ b/BuildTools/format.ps1 @@ -2,6 +2,7 @@ # Trigger the commit hook's formatter against the working tree without committing, # applying the same formatting the pre-commit hook enforces. $ErrorActionPreference = 'Stop' +$env:OPENSSL_ENABLE_SHA1_SIGNATURES = '1' Push-Location (Join-Path $PSScriptRoot '..') try { bash BuildTools/pre-commit --format diff --git a/BuildTools/pre-commit b/BuildTools/pre-commit index b9d352bf6..e72109971 100755 --- a/BuildTools/pre-commit +++ b/BuildTools/pre-commit @@ -8,6 +8,7 @@ set -eu DOTNET_FORMAT_VERSION=10.0.100-rtm.25531.102 DOTNET_FORMAT_SOURCE="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet10-transport/nuget/v3/index.json" +export OPENSSL_ENABLE_SHA1_SIGNATURES=1 # Per-OS tool cache location + binary suffix. Windows uses %LOCALAPPDATA% and a .exe # suffix; Unix-likes follow the XDG basedir spec (falling back to ~/.local/share) and diff --git a/build.ps1 b/build.ps1 index 70d865607..5c245d406 100644 --- a/build.ps1 +++ b/build.ps1 @@ -6,4 +6,5 @@ param( [string]$Configuration = 'Debug' ) $ErrorActionPreference = 'Stop' +$env:OPENSSL_ENABLE_SHA1_SIGNATURES = '1' dotnet build ILSpy.sln -c $Configuration "-p:Platform=Any CPU" @args diff --git a/clean.ps1 b/clean.ps1 index c5d750a44..160be6ec8 100644 --- a/clean.ps1 +++ b/clean.ps1 @@ -1,5 +1,6 @@ #!/usr/bin/env pwsh # Clean the Debug and Release build outputs of ILSpy.sln. $ErrorActionPreference = 'Stop' +$env:OPENSSL_ENABLE_SHA1_SIGNATURES = '1' dotnet clean ILSpy.sln -c Debug "-p:Platform=Any CPU" @args dotnet clean ILSpy.sln -c Release "-p:Platform=Any CPU" @args diff --git a/publish.ps1 b/publish.ps1 index a885ee196..a52c56c1c 100644 --- a/publish.ps1 +++ b/publish.ps1 @@ -13,6 +13,7 @@ param( [string]$Platform = 'windows' ) $ErrorActionPreference = 'Stop' +$env:OPENSSL_ENABLE_SHA1_SIGNATURES = '1' $base = "./ILSpy/bin/$Configuration/net10.0" diff --git a/publishlocaldev.ps1 b/publishlocaldev.ps1 index ce187d251..9f00d210e 100644 --- a/publishlocaldev.ps1 +++ b/publishlocaldev.ps1 @@ -1,5 +1,8 @@ # For local development of the VSIX package - build and publish (VS2022 also needs arm64) +$ErrorActionPreference = 'Stop' +$env:OPENSSL_ENABLE_SHA1_SIGNATURES = '1' + $configuration = "Debug" dotnet build ./ILSpy.sln -c $configuration @@ -12,4 +15,4 @@ dotnet publish ./ILSpy.ReadyToRun/ILSpy.ReadyToRun.csproj -c $configuration --no $output_arm64 = "./ILSpy/bin/$configuration/net10.0/win-arm64/publish/fwdependent" dotnet publish ./ILSpy/ILSpy.csproj -c $configuration --no-restore --no-self-contained -r win-arm64 -o $output_arm64 -dotnet publish ./ILSpy.ReadyToRun/ILSpy.ReadyToRun.csproj -c $configuration --no-restore --no-self-contained -r win-arm64 -o $output_arm64 \ No newline at end of file +dotnet publish ./ILSpy.ReadyToRun/ILSpy.ReadyToRun.csproj -c $configuration --no-restore --no-self-contained -r win-arm64 -o $output_arm64 diff --git a/restore.ps1 b/restore.ps1 index be32fa382..e075b914d 100644 --- a/restore.ps1 +++ b/restore.ps1 @@ -2,4 +2,5 @@ # Restore all NuGet packages for ILSpy.sln, honouring the committed packages.lock.json files. # Use updatedeps.ps1 instead when you have changed a PackageVersion and need to refresh the locks. $ErrorActionPreference = 'Stop' +$env:OPENSSL_ENABLE_SHA1_SIGNATURES = '1' dotnet restore ILSpy.sln -p:RestoreEnablePackagePruning=false @args diff --git a/updatedeps.ps1 b/updatedeps.ps1 index 9629931d2..e8e3eccd4 100644 --- a/updatedeps.ps1 +++ b/updatedeps.ps1 @@ -3,4 +3,5 @@ # Run this after changing a PackageVersion in Directory.Packages.props (or adding a package), # then commit the updated lock files. $ErrorActionPreference = 'Stop' +$env:OPENSSL_ENABLE_SHA1_SIGNATURES = '1' dotnet restore ILSpy.sln --force-evaluate -p:RestoreEnablePackagePruning=false @args