ci: Verify jom/NASM downloads and fall back to upstream on forks

author Dmitry Misharov <dmitry@openssl.org>

Wed, 3 Jun 2026 11:12:36 +0000 (13:12 +0200)

committer Tomas Mraz <tomas@openssl.foundation>

Thu, 11 Jun 2026 16:16:56 +0000 (18:16 +0200)
author Dmitry Misharov <dmitry@openssl.org>
Wed, 3 Jun 2026 11:12:36 +0000 (13:12 +0200)
committer Tomas Mraz <tomas@openssl.foundation>
Thu, 11 Jun 2026 16:16:56 +0000 (18:16 +0200)
diff --git a/.github/ci-deps.json b/.github/ci-deps.json

new file mode 100644 (file)

index 0000000..f075460
--- /dev/null
+++ b/.github/ci-deps.json
@@ -0,0 +1,5 @@
+{
+  "jom-1.1.7.exe": "8435dbf96eb9ee65395d46d04dc3af2ff6b2618aefbc7964eeede9be669e8bd6",
+  "nasm-3.01-installer-x64.exe": "7881e9febc8b6558581041019b7890f109bef0694d93ed82c9589794c7b5a600",
+  "nasm-3.01-installer-x86.exe": "2e3041dd2abe36cb7e9938057c3cf090dd2eac42d3280957359f87c4d83b9ed0"
+}
diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml

index 806d5568a54aec355008f25088d90f4b3139dc9b..eff3bff58f72d731bc9a9f4f26edb25c91f78886 100644 (file)
--- a/.github/workflows/os-zoo.yml
+++ b/.github/workflows/os-zoo.yml
@@ -151,13 +151,20 @@ jobs:
        run: git submodule update --init --depth 1 fuzz/corpora
      - name: install nasm
        run: |
-        Invoke-WebRequest -Uri "https://openssl-library.org/nasm-3.01-installer-x64.exe" -OutFile nasm-installer.exe
-        Start-Process -FilePath .\nasm-installer.exe -ArgumentList '/S' -Wait
+        $installer = "nasm-3.01-installer-x64.exe"
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/$installer" -OutFile $installer
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).$installer
+        $actual = (Get-FileHash $installer -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for $installer (expected $expected, got $actual)" }
+        Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
          "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: install jom
        run: |
          mkdir C:\jom
-        Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+        $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
          "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: prepare the build directory
        run: mkdir _build
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml

index 68f9bfdd6b07e17c3744a61ad185453ea7e73573..22222e609a374f2dfc02645ee144f449d095453f 100644 (file)
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -38,14 +38,37 @@ jobs:
      - name: checkout fuzz/corpora submodule
        run: git submodule update --init --depth 1 fuzz/corpora
      - name: install nasm
+      if: github.repository == 'openssl/openssl'
        run: |
-        Invoke-WebRequest -Uri "https://openssl-library.org/nasm-3.01-installer-${{ matrix.platform.arch == 'x86' && 'x86' || 'x64' }}.exe" -OutFile nasm-installer.exe
-        Start-Process -FilePath .\nasm-installer.exe -ArgumentList '/S' -Wait
+        $installer = "nasm-3.01-installer-${{ matrix.platform.arch == 'x86' && 'x86' || 'x64' }}.exe"
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/$installer" -OutFile $installer
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).$installer
+        $actual = (Get-FileHash $installer -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for $installer (expected $expected, got $actual)" }
+        Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
+        "C:\Program Files${{ matrix.platform.arch == 'x86' && ' (x86)' || '' }}\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+    - name: install nasm (forks)
+      if: github.repository != 'openssl/openssl'
+      run: |
+        $installer = "nasm-3.01-installer-${{ matrix.platform.arch == 'x86' && 'x86' || 'x64' }}.exe"
+        Invoke-WebRequest -Uri "https://www.nasm.us/pub/nasm/releasebuilds/3.01/win${{ matrix.platform.arch == 'x86' && '32' || '64' }}/$installer" -OutFile $installer
+        Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
          "C:\Program Files${{ matrix.platform.arch == 'x86' && ' (x86)' || '' }}\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: install jom
+      if: github.repository == 'openssl/openssl'
+      run: |
+        mkdir C:\jom
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+        $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+        "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+    - name: install jom (forks)
+      if: github.repository != 'openssl/openssl'
        run: |
          mkdir C:\jom
-        Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+        Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
          "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: prepare the build directory
        run: mkdir _build
@@ -121,9 +144,20 @@ jobs:
      - name: prepare the build directory
        run: mkdir _build
      - name: install jom
+      if: github.repository == 'openssl/openssl'
        run: |
          mkdir C:\jom
-        Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+        $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+        "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+    - name: install jom (forks)
+      if: github.repository != 'openssl/openssl'
+      run: |
+        mkdir C:\jom
+        Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+        Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
          "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: config
        working-directory: _build
@@ -167,9 +201,20 @@ jobs:
      - name: prepare the build directory
        run: mkdir _build
      - name: install jom
+      if: github.repository == 'openssl/openssl'
+      run: |
+        mkdir C:\jom
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+        $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+        "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+    - name: install jom (forks)
+      if: github.repository != 'openssl/openssl'
        run: |
          mkdir C:\jom
-        Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+        Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
          "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: config
        working-directory: _build
diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml

index df852b30e59dbcc4ce5b56fe8543aedf8182073f..f89324e4b1f4526ea9ec29c792119424f581c389 100644 (file)
--- a/.github/workflows/windows_comp.yml
+++ b/.github/workflows/windows_comp.yml
@@ -29,14 +29,37 @@ jobs:
      - name: checkout fuzz/corpora submodule
        run: git submodule update --init --depth 1 fuzz/corpora
      - name: install nasm
+      if: github.repository == 'openssl/openssl'
+      run: |
+        $installer = "nasm-3.01-installer-x64.exe"
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/$installer" -OutFile $installer
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).$installer
+        $actual = (Get-FileHash $installer -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for $installer (expected $expected, got $actual)" }
+        Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
+        "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+    - name: install nasm (forks)
+      if: github.repository != 'openssl/openssl'
        run: |
-        Invoke-WebRequest -Uri "https://openssl-library.org/nasm-3.01-installer-x64.exe" -OutFile nasm-installer.exe
-        Start-Process -FilePath .\nasm-installer.exe -ArgumentList '/S' -Wait
+        $installer = "nasm-3.01-installer-x64.exe"
+        Invoke-WebRequest -Uri "https://www.nasm.us/pub/nasm/releasebuilds/3.01/win64/$installer" -OutFile $installer
+        Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
          "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: install jom
+      if: github.repository == 'openssl/openssl'
+      run: |
+        mkdir C:\jom
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+        $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+        "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+    - name: install jom (forks)
+      if: github.repository != 'openssl/openssl'
        run: |
          mkdir C:\jom
-        Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+        Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
          "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: prepare the build directory
        run: mkdir _build
@@ -98,14 +121,37 @@ jobs:
      - name: checkout fuzz/corpora submodule
        run: git submodule update --init --depth 1 fuzz/corpora
      - name: install nasm
+      if: github.repository == 'openssl/openssl'
+      run: |
+        $installer = "nasm-3.01-installer-x64.exe"
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/$installer" -OutFile $installer
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).$installer
+        $actual = (Get-FileHash $installer -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for $installer (expected $expected, got $actual)" }
+        Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
+        "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+    - name: install nasm (forks)
+      if: github.repository != 'openssl/openssl'
        run: |
-        Invoke-WebRequest -Uri "https://openssl-library.org/nasm-3.01-installer-x64.exe" -OutFile nasm-installer.exe
-        Start-Process -FilePath .\nasm-installer.exe -ArgumentList '/S' -Wait
+        $installer = "nasm-3.01-installer-x64.exe"
+        Invoke-WebRequest -Uri "https://www.nasm.us/pub/nasm/releasebuilds/3.01/win64/$installer" -OutFile $installer
+        Start-Process -FilePath ".\$installer" -ArgumentList '/S' -Wait
          "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: install jom
+      if: github.repository == 'openssl/openssl'
+      run: |
+        mkdir C:\jom
+        Invoke-WebRequest -Uri "https://openssl-library.org/ci-deps/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        $expected = (Get-Content "$env:GITHUB_WORKSPACE\.github\ci-deps.json" -Raw | ConvertFrom-Json).'jom-1.1.7.exe'
+        $actual = (Get-FileHash C:\jom\jom.exe -Algorithm SHA256).Hash
+        if ($actual -ne $expected) { throw "SHA256 mismatch for jom.exe (expected $expected, got $actual)" }
+        "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
+    - name: install jom (forks)
+      if: github.repository != 'openssl/openssl'
        run: |
          mkdir C:\jom
-        Invoke-WebRequest -Uri "https://openssl-library.org/jom-1.1.7.exe" -OutFile C:\jom\jom.exe
+        Invoke-WebRequest -Uri "https://download.qt.io/official_releases/jom/jom_1_1_7.zip" -OutFile C:\jom\jom.zip
+        Expand-Archive -Path C:\jom\jom.zip -DestinationPath C:\jom
          "C:\jom" | Out-File -FilePath "$env:GITHUB_PATH" -Append
      - name: prepare the build directory
        run: mkdir _build
author	Dmitry Misharov <dmitry@openssl.org>
	Wed, 3 Jun 2026 11:12:36 +0000 (13:12 +0200)
committer	Tomas Mraz <tomas@openssl.foundation>
	Thu, 11 Jun 2026 16:16:56 +0000 (18:16 +0200)
.github/ci-deps.json	[new file with mode: 0644]	patch \| blob
.github/workflows/os-zoo.yml		patch \| blob \| blame \| history
.github/workflows/windows.yml		patch \| blob \| blame \| history
.github/workflows/windows_comp.yml		patch \| blob \| blame \| history