@@ -568,7 +568,40 @@ jobs:
568568 # break in DEP_META['liboqs'] would silently land.
569569
570570 - name : Install liboqs (provides liboqs.pc for --with-liboqs)
571- run : sudo apt-get update && sudo apt-get install -y liboqs-dev
571+ # Ubuntu noble (24.04) does not ship liboqs-dev in its archive
572+ # (Debian sid has 0.7.x; Ubuntu only has unsupported PPAs). Build
573+ # from a pinned upstream tag so this job stays deterministic across
574+ # runs - any future liboqs API/ABI break shows up here, not in
575+ # production builds. Pinning matters: SBOM correctness assertions
576+ # below check purl shape, and an unpinned 'main' would silently
577+ # change what pkg-config reports as the version string.
578+ run : |
579+ sudo apt-get update
580+ sudo apt-get install -y --no-install-recommends \
581+ cmake ninja-build libssl-dev
582+ git clone --depth=1 --branch 0.12.0 \
583+ https://github.com/open-quantum-safe/liboqs /tmp/liboqs
584+ cmake -S /tmp/liboqs -B /tmp/liboqs/build -GNinja \
585+ -DCMAKE_BUILD_TYPE=Release \
586+ -DCMAKE_INSTALL_PREFIX=/usr/local \
587+ -DBUILD_SHARED_LIBS=ON \
588+ -DOQS_BUILD_ONLY_LIB=ON \
589+ -DOQS_DIST_BUILD=OFF
590+ cmake --build /tmp/liboqs/build --parallel "$(nproc)"
591+ sudo cmake --install /tmp/liboqs/build
592+ sudo ldconfig
593+ # /usr/local/lib/pkgconfig is on pkg-config's compiled-in path
594+ # on Ubuntu, but export via $GITHUB_ENV so a future image change
595+ # cannot silently break --with-liboqs autodetection. ${VAR:+:$VAR}
596+ # avoids a trailing colon when PKG_CONFIG_PATH is unset.
597+ echo "PKG_CONFIG_PATH=/usr/local/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}" \
598+ >> "$GITHUB_ENV"
599+
600+ name : Verify liboqs.pc visible to pkg-config
601+ # Separate step so the $GITHUB_ENV write above has taken effect
602+ # for this shell; an in-step call would only be exercising the
603+ # compiled-in default path, not the export.
604+ run : pkg-config --modversion liboqs
572605
573606 - name : Configure with --with-liboqs --enable-falcon
574607 run : |
@@ -734,33 +767,67 @@ jobs:
734767 - name : Install build deps + SBOM validators
735768 run : |
736769 sudo apt-get update
770+ # bison + autotools-dev are required by strace's ./bootstrap.
771+ # gcc-multilib + g++-multilib give strace's --enable-mpers=check
772+ # the 32-bit/x32 compilers it needs - without them mpers is
773+ # silently downgraded and bomtrace3 traces only native-arch
774+ # syscalls, diverging from what bomsh's devcontainer produces.
775+ # The rest mirror bomsh's .devcontainer/Dockerfile bomtrace3
776+ # stage.
737777 sudo apt-get install -y build-essential autoconf automake libtool \
778+ bison autotools-dev gcc-multilib g++-multilib \
738779 python3 python3-pip git
739780 python3 -m pip install --user --upgrade pip
740781 python3 -m pip install --user 'spdx-tools==0.8.*'
741782 echo "$HOME/.local/bin" >> "$GITHUB_PATH"
742783
743784name : Install bomsh toolchain (bomtrace3 + helper scripts)
744- # Bomsh is not packaged; build bomtrace3 (patched strace) from
745- # source and install the python helpers system-wide so configure's
746- # AC_PATH_PROG can find them.
785+ # Bomsh is not packaged. Reproduce its `.devcontainer/Dockerfile`
786+ # bomtrace3 stage: clone strace, apply bomtrace3.patch, drop in
787+ # the bomsh source overlay, then bootstrap+configure+make. Both
788+ # bomsh and strace are pinned (env: below) so a strace `master`
789+ # commit that touches the lines bomtrace3.patch rewrites cannot
790+ # break this CI for reasons unrelated to wolfSSL. Bump them
791+ # together by re-validating `patch -p1` against the new SHAs.
792+ env :
793+ # bomsh has no releases; pin to last commit on main as of
794+ # 2024-10-31. The patch itself last changed 2024-02-06.
795+ BOMSH_SHA : 5823f7db7e5bd958e4ff868ae6ea79a7d871bb07
796+ # v6.7 (2024-01-29) is the strace release current when the
797+ # patch was last touched; later releases tend to drift from
798+ # the patch's context lines in src/strace.c.
799+ STRACE_TAG : v6.7
747800 run : |
748- git clone --depth=1 https://github.com/omnibor/bomsh /tmp/bomsh
749- # bomtrace3 build: docker/devcontainer-only Makefile in upstream;
750- # use the embedded build script if present, else fall back to
751- # the strace patch path.
752- cd /tmp/bomsh
753- if [ -d .devcontainer/bomtrace3 ]; then
754- make -C .devcontainer/bomtrace3
755- sudo install -m 755 .devcontainer/bomtrace3/bomtrace3 \
756- /usr/local/bin/
757- else
758- echo "bomsh repo layout changed; please update CI"
801+ git clone https://github.com/omnibor/bomsh /tmp/bomsh
802+ git -C /tmp/bomsh checkout "$BOMSH_SHA"
803+ # Even with a pinned SHA, keep the layout-drift guard so the
804+ # next maintainer who bumps BOMSH_SHA gets a clear error if
805+ # upstream restructured rather than a confusing patch failure.
806+ if [ ! -f /tmp/bomsh/.devcontainer/patches/bomtrace3.patch ] \
807+ || [ ! -d /tmp/bomsh/.devcontainer/src ]; then
808+ echo "bomsh repo layout changed; please update CI" >&2
809+ ls -la /tmp/bomsh/.devcontainer/ >&2 || true
759810 exit 1
760811 fi
761- sudo install -m 755 scripts/bomsh_create_bom.py /usr/local/bin/
762- sudo install -m 755 scripts/bomsh_sbom.py /usr/local/bin/
763- bomtrace3 --version || true
812+ git clone --depth=1 --branch "$STRACE_TAG" \
813+ https://github.com/strace/strace.git /tmp/strace
814+ cp /tmp/bomsh/.devcontainer/patches/bomtrace3.patch /tmp/strace/
815+ cp /tmp/bomsh/.devcontainer/src/*.[ch] /tmp/strace/src/
816+ (
817+ cd /tmp/strace
818+ patch -p1 < bomtrace3.patch
819+ ./bootstrap
820+ ./configure --enable-mpers=check
821+ make -j"$(nproc)"
822+ )
823+ sudo install -m 755 /tmp/strace/src/strace /usr/local/bin/bomtrace3
824+ sudo install -m 755 /tmp/bomsh/scripts/bomsh_create_bom.py \
825+ /usr/local/bin/
826+ sudo install -m 755 /tmp/bomsh/scripts/bomsh_sbom.py \
827+ /usr/local/bin/
828+ # bomtrace3 is patched strace; a `--version` invocation under
829+ # ptrace requires no target so it must succeed cleanly.
830+ bomtrace3 --version
764831 which bomsh_create_bom.py bomsh_sbom.py
765832
766833name : Configure wolfSSL
0 commit comments