GHA/macos: enable HTTPS tests with stunnel

- Install stunnel. - Regenerate certificates (as SecureTransport requires a validity period less than 398 days). - Restart server if it is unresponsive. - Do not hardcode the SHA-256 base64 public pinned key. - Ignore test 313 as SecureTransport does not support crl file. - Ignore tests 1631 and 1632 as SecureTransport is not yet able to shut down FTP over HTTPS gracefully. - Add a CMake target for generating certificates. Closes #14486
2026-04-25 22:22:11 +03:00 · 2024-08-07 22:57:43 +08:00 · 2024-08-07 22:57:43 +08:00 · fa461b4eff
commit fa461b4eff
parent 7c0b6eb3bd
13 changed files with 262 additions and 133 deletions
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -152,7 +152,7 @@ jobs:
        # while running the tests, for example
        # https://github.com/curl/curl/runs/4095721123?check_suite_focus=true
        run: |
-          echo libtool autoconf automake pkg-config libpsl libssh2 nghttp2 openssl ${{ matrix.install }} | xargs -Ix -n1 echo brew '"x"' > /tmp/Brewfile
+          echo libtool autoconf automake pkg-config libpsl libssh2 nghttp2 openssl stunnel ${{ matrix.install }} | xargs -Ix -n1 echo brew '"x"' > /tmp/Brewfile
          while [[ $? == 0 ]]; do for i in 1 2 3; do brew update && brew bundle install --no-lock --file /tmp/Brewfile && break 2 || { echo Error: wait to try again; sleep 10; } done; false Too many retries; done

      - name: 'brew unlink openssl'
@ -234,6 +234,12 @@ jobs:
          echo '::group::raw'; cat bld/lib/curl_config.h || true; echo '::endgroup::'
          cat bld/lib/curl_config.h | grep -F '#define' | sort || true

+      - name: 'build-cert'
+        if: contains(matrix.configure, '--with-secure-transport')
+        run: |
+          make -C bld/tests/certs clean-certs
+          make -C bld/tests/certs build-certs -j1
+
      - name: 'make'
        run: make -C bld V=1

@ -259,6 +265,10 @@ jobs:
              TFLAGS+=' ~2402 ~2404'  # non-SecureTransport + nghttp2
            fi
          fi
+          if [[ '${{ matrix.configure }}' = *'--with-secure-transport'* ]]; then
+            TFLAGS+=' ~313'  # SecureTransport does not support crl file
+            TFLAGS+=' ~1631 ~1632'  # SecureTransport is not able to shutdown ftp over https gracefully yet
+          fi
          rm -f $HOME/.curlrc
          make -C bld V=1 test-ci

@ -303,7 +313,7 @@ jobs:
    steps:
      - name: 'brew install'
        run: |
-          echo libtool autoconf automake pkg-config libpsl libssh2 nghttp2 openssl ${{ matrix.build.install }} | xargs -Ix -n1 echo brew '"x"' > /tmp/Brewfile
+          echo libtool autoconf automake pkg-config libpsl libssh2 nghttp2 openssl stunnel ${{ matrix.build.install }} | xargs -Ix -n1 echo brew '"x"' > /tmp/Brewfile
          while [[ $? == 0 ]]; do for i in 1 2 3; do brew update && brew bundle install --no-lock --file /tmp/Brewfile && break 2 || { echo Error: wait to try again; sleep 10; } done; false Too many retries; done

      - name: 'brew unlink openssl'
@ -358,6 +368,12 @@ jobs:
          echo '::group::raw'; cat bld/lib/curl_config.h || true; echo '::endgroup::'
          cat bld/lib/curl_config.h | grep -F '#define' | sort || true

+      - name: 'build-cert'
+        if: contains(matrix.build.generate, '-DCURL_USE_SECTRANSP=ON')
+        run: |
+          make -C bld/tests/certs clean-certs
+          make -C bld/tests/certs build-certs -j1
+
      - name: 'cmake build'
        run: make -C bld VERBOSE=1

@ -380,6 +396,10 @@ jobs:
              TFLAGS+=' ~2402 ~2404'  # non-SecureTransport + nghttp2
            fi
          fi
+          if [[ '${{ matrix.build.generate }}' = *'-DCURL_USE_SECTRANSP=ON'* ]]; then
+            TFLAGS+=' ~313'  # SecureTransport does not support crl file
+            TFLAGS+=' ~1631 ~1632'  # SecureTransport is not able to shutdown ftp over https gracefully yet
+          fi
          rm -f $HOME/.curlrc
          make -C bld test-ci