From 35898ad24d83317135d7fdad601dc17375ac373e Mon Sep 17 00:00:00 2001 From: Ævar Arnfjörð Bjarmason Date: Thu, 15 Dec 2022 09:43:05 +0100 Subject: Makefile: use sha1collisiondetection by default on OSX and Darwin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the sha1collisiondetection library was added and made the default in [1] the interaction with APPLE_COMMON_CRYPTO added in [2] and [3] seems to have been missed. On modern OSX and Darwin we are able to use Apple's CommonCrypto both for SHA-1, and as a generic (but partial) OpenSSL replacement. This left OSX and Darwin without protection against the SHAttered attack when building Git in its default configuration. Let's also use sha1collisiondetection on OSX, to do so we'll need to split up the "APPLE_COMMON_CRYPTO" flag into that flag and a new "APPLE_COMMON_CRYPTO_SHA1". Because of this we can stop conflating whether we want to use Apple's CommonCrypto at all, and whether we want to use it for SHA-1. This makes the CI recipe added in [4] simpler. 1. e6b07da2780 (Makefile: make DC_SHA1 the default, 2017-03-17) 2. 4dcd7732db0 (Makefile: add support for Apple CommonCrypto facility, 2013-05-19) 3. 61067954ce1 (cache.h: eliminate SHA-1 deprecation warnings on Mac OS X, 2013-05-19) 4. 1ad5c3df35a (ci: use DC_SHA1=YesPlease on osx-clang job for CI, 2022-10-20) Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- ci/lib.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'ci/lib.sh') diff --git a/ci/lib.sh b/ci/lib.sh index 706e3ba7e9..db7105e8a8 100755 --- a/ci/lib.sh +++ b/ci/lib.sh @@ -258,8 +258,7 @@ macos-*) MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python3)" else MAKEFLAGS="$MAKEFLAGS PYTHON_PATH=$(which python2)" - MAKEFLAGS="$MAKEFLAGS NO_APPLE_COMMON_CRYPTO=NoThanks" - MAKEFLAGS="$MAKEFLAGS NO_OPENSSL=NoThanks" + MAKEFLAGS="$MAKEFLAGS APPLE_COMMON_CRYPTO_SHA1=Yes" fi ;; esac -- cgit v1.3