CI: Try really hard to get updated Windows TLS certs

Windows doesn't actually distribute a full TLS CA certificate store, but
pulls them in over time with Windows Update. Try to prime it by manually
pulling the certificates and installing them.

This bumps the Windows tag to force a rebuild.

Acked-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/9618>

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f7e9099..674f701 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -505,7 +505,7 @@ armhf_test:
     - .set-image
   variables:
     MESA_IMAGE_PATH: "windows/x64_build"
-    MESA_IMAGE_TAG: "2021-03-01"
+    MESA_IMAGE_TAG: "2021-03-15-tls"
     MESA_UPSTREAM_IMAGE: "$CI_REGISTRY/$FDO_UPSTREAM_REPO/$MESA_IMAGE_PATH:${MESA_IMAGE_TAG}--${MESA_TEMPLATES_COMMIT}"
 
 windows_build_vs2019:

diff --git a/.gitlab-ci/windows/mesa_deps.ps1 b/.gitlab-ci/windows/mesa_deps.ps1
index 13da8c7..0e2bc60 100644 (file)
--- a/.gitlab-ci/windows/mesa_deps.ps1
+++ b/.gitlab-ci/windows/mesa_deps.ps1
@@ -1,3 +1,14 @@
+# Download new TLS certs from Windows Update
+Get-Date
+Write-Host "Updating TLS certificate store"
+$certdir = (New-Item -ItemType Directory -Name "_tlscerts")
+certutil -syncwithWU "$certdir"
+Foreach ($file in (Get-ChildItem -Path "$certdir\*" -Include "*.crt")) {
+  Import-Certificate -FilePath $file -CertStoreLocation Cert:\LocalMachine\Root
+}
+Remove-Item -Recurse -Path $certdir
+
+
 Get-Date
 Write-Host "Installing Chocolatey"
 Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
@@ -41,7 +52,7 @@ if (!$?) {
 
 # we want more secure TLS 1.2 for most things, but it breaks SourceForge
 # downloads so must be done after Chocolatey use
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13;
 
 Get-Date
 Write-Host "Cloning LLVM master"