Mesa (staging/21.0): CI: Try really hard to get updated Windows TLS certs

[GitLab Mirror]

Module: Mesa
Branch: staging/21.0
Commit: 377739771eeb54fdeb1a0f4904a982c0ae608fd2
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=377739771eeb54fdeb1a0f4904a982c0ae608fd2

Author: Daniel Stone <daniels at collabora.com>
Date:   Mon Mar 15 20:41:30 2021 +0000

CI: Try really hard to get updated Windows TLS certs

Windows doesn't actually distribute a full TLS CA certificate store, but
pulls them in over time with Windows Update. Try to prime it by manually
pulling the certificates and installing them.

This bumps the Windows tag to force a rebuild.

Acked-by: Michel Dänzer <mdaenzer at redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/9618>
(cherry picked from commit e6aacec9e101d6ce91513cb4cdf3361748d0f48e)

---

 .gitlab-ci.yml                   |  2 +-
 .gitlab-ci/windows/mesa_deps.ps1 | 13 ++++++++++++-
 .pick_status.json                |  4 ++--
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a1b5b124b6d..0702b5599c1 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -445,7 +445,7 @@ armhf_test:
 
 .windows-docker-vs2019:
   variables:
-    WINDOWS_TAG: "2020-12-02"
+    WINDOWS_TAG: "2021-03-15-tls"
     WINDOWS_IMAGE: "$CI_REGISTRY_IMAGE/windows/x64_build:${WINDOWS_TAG}-${MESA_TEMPLATES_COMMIT}"
     WINDOWS_UPSTREAM_IMAGE: "$CI_REGISTRY/$FDO_UPSTREAM_REPO/windows/x64_build:${WINDOWS_TAG}-${MESA_TEMPLATES_COMMIT}"
 
diff --git a/.gitlab-ci/windows/mesa_deps.ps1 b/.gitlab-ci/windows/mesa_deps.ps1
index 549cc91b573..464643bf864 100644
--- a/.gitlab-ci/windows/mesa_deps.ps1
+++ b/.gitlab-ci/windows/mesa_deps.ps1
@@ -1,3 +1,14 @@
+# Download new TLS certs from Windows Update
+Get-Date
+Write-Host "Updating TLS certificate store"
+$certdir = (New-Item -ItemType Directory -Name "_tlscerts")
+certutil -syncwithWU "$certdir"
+Foreach ($file in (Get-ChildItem -Path "$certdir\*" -Include "*.crt")) {
+  Import-Certificate -FilePath $file -CertStoreLocation Cert:\LocalMachine\Root
+}
+Remove-Item -Recurse -Path $certdir
+
+
 Get-Date
 Write-Host "Installing Chocolatey"
 Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
@@ -41,7 +52,7 @@ if (!$?) {
 
 # we want more secure TLS 1.2 for most things, but it breaks SourceForge
 # downloads so must be done after Chocolatey use
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13;
 
 # VS16.x is 2019
 $msvc_2019_url = 'https://aka.ms/vs/16/release/vs_buildtools.exe'
diff --git a/.pick_status.json b/.pick_status.json
index 995c24d254d..28dccd20957 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -2119,7 +2119,7 @@
         "description": "CI: Try really hard to get updated Windows TLS certs",
         "nominated": false,
         "nomination_type": null,
-        "resolution": 4,
+        "resolution": 1,
         "master_sha": null,
         "because_sha": null
     },
@@ -29951,4 +29951,4 @@
         "master_sha": null,
         "because_sha": null
     }
-]
\ No newline at end of file
+]