[release/10.0] Backport Replace test certificate chain that uses RSA+SHA-1 #121665
Conversation
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
|
For what it’s worth this backported cleanly, but the |
There was a problem hiding this comment.
Pull Request Overview
This PR backports certificate test data updates from the main branch to release/10.0, replacing an RSA+SHA-1 certificate chain (Baltimore CyberTrust Root) with an RSA+SHA-256 certificate chain (DigiCert Global Root G2) to address CI test failures due to increasing SHA-1 rejection in test environments.
- Updates test certificate chain from Baltimore CyberTrust Root to DigiCert Global Root G2
- Adjusts test data including hostnames, verification times, and expected cryptographic values
- Removes platform-specific workarounds no longer needed with the new certificate
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| MatchesHostnameTests.cs | Updates test hostnames to match SANs in new certificate (e.g., www.microsoft.com.au, copilot.ai, yarp.dot.net) |
| AuthorityKeyIdentifierTests.cs | Updates expected authority key identifier hex values to match new certificate chain |
| CollectionTests.cs | Updates verification times from 2021-02-26 to 2025-12-25 to fall within new certificate validity period |
| ChainTests.cs | Updates verification times throughout tests, removes SHA-1 signature support checks, simplifies platform detection logic |
| TestData.cs | Replaces MicrosoftDotComSslCertBytes, MicrosoftDotComIssuerBytes, and MicrosoftDotComRootBytes with new certificate chain data |
|
@artl93 Test-only change |
Backport of #121450 to release/10.0
cc @bartonjs
Customer Impact
These are test only changes. These changes react to more environments in CI rejecting certificate chains that use an RSA+SHA-1 root certificate.
Regression
Testing
Tests that were failing are now passing in CI.
Risk
None, test only changes.