Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Bump OpenSSL to 3.0, Move OpenSSL package generation to Github Actions #2026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zawata merged 10 commits into from
Nov 7, 2025
+106 −57
Merged

Bump OpenSSL to 3.0, Move OpenSSL package generation to Github Actions #2026

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d8700c9
upgrade to openssl 3.0
zawata Oct 9, 2025
453920a
fix workflow matrix
zawata Oct 16, 2025
a83b098
woops
zawata Oct 16, 2025
4c6a8a6
downgrade runners for now
zawata Oct 16, 2025
f5e8380
force build openssl package
zawata Oct 16, 2025
fc1aecf
set macos deployment target
zawata Oct 24, 2025
1689cb8
update macos runner images
zawata Nov 6, 2025
d51bb6f
disable ui on macos
zawata Nov 6, 2025
bfffac9
update visual studio version selection
zawata Oct 24, 2025
424cad3
fix upload
zawata Nov 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 25 additions & 5 deletions 30 .github/workflows/build-openssl-packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,15 @@ jobs:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-13, windows-2022]
arch: [x64, arm64]
include:
- os: windows-latest
arch: x64
# - os: windows-latest
# arch: arm64
- os: macos-15
arch: x64
- os: macos-15-intel
arch: arm64
fail-fast: false

steps:
Expand All @@ -21,17 +28,30 @@ jobs:
uses: actions/setup-node@v4
with:
node-version: 22
architecture: ${{ matrix.arch }}

- name: Install Toolchain
if: matrix.os == 'windows-latest' && matrix.arch == 'arm64'
uses: msys2/setup-msys2@v2
with:
update: true
install: >
mingw-w64-aarch64-toolchain
mingw-w64-aarch64-cmake
mingw-w64-aarch64-ninja

- name: Install dependencies
run: npm install

- name: Build OpenSSL packages
run: node utils/acquireOpenSSL.js
env:
TARGET_ARCH: ${{ matrix.arch }}
NODEGIT_OPENSSL_BUILD_PACKAGE: 1
OPENSSL_MACOS_DEPLOYMENT_TARGET: "11.0"
run: node utils/acquireOpenSSL.mjs

- name: Push OpenSSL package to S3
env:
node_pre_gyp_bucket: ${{ secrets.node_pre_gyp_bucket }}
AWS_ACCESS_KEY_ID: ${{ secrets.node_pre_gyp_accessKeyId }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.node_pre_gyp_secretAccessKey }}
run: node utils/uploadOpenSSL.js
run: node utils/uploadOpenSSL.mjs
5 changes: 2 additions & 3 deletions 5 generate/templates/templates/binding.gyp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,9 +160,8 @@
"<(electron_openssl_root)/include"
],
"libraries": [
# this order is significant on centos7 apparently...
"<(electron_openssl_root)/lib/libssl.a",
"<(electron_openssl_root)/lib/libcrypto.a"
"<(electron_openssl_root)/lib64/libssl.a",
"<(electron_openssl_root)/lib64/libcrypto.a"
]
}],
["<(is_electron) == 1 and <(electron_openssl_static) != 1", {
Expand Down
88 changes: 70 additions & 18 deletions 88 utils/acquireOpenSSL.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@ import tar from "tar-fs";
import zlib from "zlib";
import { createWriteStream, promises as fs } from "fs";
import { performance } from "perf_hooks";
import { fileURLToPath } from 'url';
import { promisify } from "util";

const pipeline = promisify(stream.pipeline);

import packageJson from '../package.json' with { type: "json" };

const OPENSSL_VERSION = "1.1.1t";
const OPENSSL_VERSION = "3.0.18";
const win32BatPath = path.join(import.meta.dirname, "build-openssl.bat");
const vendorPath = path.resolve(import.meta.dirname, "..", "vendor");
const opensslPatchPath = path.join(vendorPath, "patches", "openssl");
Expand Down Expand Up @@ -56,6 +55,8 @@ const makeHashVerifyOnFinal = (expected) => (digest) => {
// currently this only needs to be done on linux
const applyOpenSSLPatches = async (buildCwd, operatingSystem) => {
try {
await fs.access(opensslPatchPath);

for (const patchFilename of await fs.readdir(opensslPatchPath)) {
const patchTarget = patchFilename.split("-")[1];
if (patchFilename.split(".").pop() === "patch" && (patchTarget === operatingSystem || patchTarget === "all")) {
Expand All @@ -66,6 +67,11 @@ const applyOpenSSLPatches = async (buildCwd, operatingSystem) => {
}
}
} catch(e) {
if (e.code === "ENOENT") {
// no patches to apply
return;
}

console.log("Patch application failed: ", e);
throw e;
}
Expand All @@ -86,6 +92,8 @@ const buildDarwin = async (buildCwd, macOsDeploymentTarget) => {
"no-ssl2",
"no-ssl3",
"no-comp",
// disable tty ui since it fails a bunch of tests on GHA runners and we're just gonna link anyways
"no-ui-console",
// set install directory
`--prefix="${extractPath}"`,
`--openssldir="${extractPath}"`,
Expand Down Expand Up @@ -121,7 +129,7 @@ const buildLinux = async (buildCwd) => {
// dependency on the system libssl/libcrypto which causes symbol conflicts and segfaults.
// To fix this we need to hide all the openssl symbols to prevent them from being overridden
// by the runtime linker.
"-fvisibility=hidden",
// "-fvisibility=hidden",
// compile static libraries
"no-shared",
// disable ssl2, ssl3, and compression
Expand Down Expand Up @@ -159,18 +167,60 @@ const buildWin32 = async (buildCwd, vsBuildArch) => {
throw new Error("Expected vsBuildArch to be specified");
}

const programFilesPath = (process.arch === "x64"
? process.env["ProgramFiles(x86)"]
: process.env.ProgramFiles) || "C:\\Program Files";
const vcvarsallPath = process.env.npm_config_vcvarsall_path || `${
programFilesPath
}\\Microsoft Visual Studio\\2017\\BuildTools\\VC\\Auxiliary\\Build\\vcvarsall.bat`;
try {
await fs.stat(vcvarsallPath);
} catch {
throw new Error(`vcvarsall.bat not found at ${vcvarsallPath}`);
const exists = (filePath) => fs.stat(filePath).then(() => true).catch(() => false);

let vcvarsallPath = undefined;

if (process.env.npm_config_vcvarsall_path && await exists(process.env.npm_config_vcvarsall_path)) {
vcvarsallPath = process.env.npm_config_vcvarsall_path;
} else {
const potentialMsvsPaths = [];

// GYP_MSVS_OVERRIDE_PATH is set by node-gyp so this should cover most cases
if (process.env.GYP_MSVS_OVERRIDE_PATH) {
potentialMsvsPaths.push(process.env.GYP_MSVS_OVERRIDE_PATH);
}

const packageTypes = ["BuildTools", "Community", "Professional", "Enterprise"];
const versions = ["2022", "2019"]

const computePossiblePaths = (parentPath) => {
let possiblePaths = []
for (const packageType of packageTypes) {
for (const version of versions) {
possiblePaths.push(path.join(parentPath, version, packageType));
}
}

return possiblePaths;
}

if (process.env["ProgramFiles(x86)"]) {
const parentPath = path.join(process.env["ProgramFiles(x86)"], 'Microsoft Visual Studio');
potentialMsvsPaths.push(...computePossiblePaths(parentPath));
}

if (process.env.ProgramFiles) {
const parentPath = path.join(process.env.ProgramFiles, 'Microsoft Visual Studio');
potentialMsvsPaths.push(...computePossiblePaths(parentPath));
}

for (const potentialPath of potentialMsvsPaths) {
const wholePath = path.join(potentialPath, 'VC', 'Auxiliary', 'Build', 'vcvarsall.bat');
console.log("checking", wholePath);
if (await exists(wholePath)) {
vcvarsallPath = wholePath;
break;
}
}

if (!vcvarsallPath) {
throw new Error(`vcvarsall.bat not found`);
}
}

console.log('using', vcvarsallPath);

let vcTarget;
switch (vsBuildArch) {
case "x64": {
Expand Down Expand Up @@ -259,7 +309,7 @@ const buildOpenSSLIfNecessary = async ({
const openSSLUrl = getOpenSSLSourceUrl(openSSLVersion);
const openSSLSha256Url = getOpenSSLSourceSha256Url(openSSLVersion);

const openSSLSha256 = (await got(openSSLSha256Url)).body.trim();
const openSSLSha256 = (await got(openSSLSha256Url)).body.trim().split(' ')[0];

const downloadStream = got.stream(openSSLUrl);
downloadStream.on("downloadProgress", makeOnStreamDownloadProgress());
Expand Down Expand Up @@ -332,7 +382,7 @@ const downloadOpenSSLIfNecessary = async ({
console.log("Download finished.");
}

const getOpenSSLPackageName = () => {
export const getOpenSSLPackageName = () => {
let arch = process.arch;
if (process.platform === "win32" && (
process.arch === "ia32" || process.env.NODEGIT_VS_BUILD_ARCH === "x86"
Expand All @@ -343,6 +393,8 @@ const getOpenSSLPackageName = () => {
return `openssl-${OPENSSL_VERSION}-${process.platform}-${arch}.tar.gz`;
}

export const getOpenSSLPackagePath = () => path.join(import.meta.dirname, getOpenSSLPackageName());

const getOpenSSLPackageUrl = () => `${packageJson.binary.host}${getOpenSSLPackageName()}`;

const buildPackage = async () => {
Expand All @@ -366,7 +418,7 @@ const buildPackage = async () => {
new HashVerify("sha256", (digest) => {
resolve(digest);
}),
createWriteStream(getOpenSSLPackageName())
createWriteStream(getOpenSSLPackagePath())
);
const digest = await promise;
await fs.writeFile(`${getOpenSSLPackageName()}.sha256`, digest);
Expand All @@ -392,7 +444,7 @@ const acquireOpenSSL = async () => {

let macOsDeploymentTarget;
if (process.platform === "darwin") {
macOsDeploymentTarget = process.argv[2];
macOsDeploymentTarget = process.argv[2] ?? process.env.OPENSSL_MACOS_DEPLOYMENT_TARGET
if (!macOsDeploymentTarget || !macOsDeploymentTarget.match(/\d+\.\d+/)) {
throw new Error(`Invalid macOsDeploymentTarget: ${macOsDeploymentTarget}`);
}
Expand Down Expand Up @@ -427,5 +479,5 @@ if (process.argv[1] === import.meta.filename) {
catch(error) {
console.error("Acquire OpenSSL failed: ", error);
process.exit(1);
};
}
}
17 changes: 9 additions & 8 deletions 17 utils/uploadOpenSSL.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,27 @@ import aws from 'aws-sdk';
import fs from "fs";
import path from "path";

import pkgJson from './package.json' assert { type: "json" };
import { getOpenSSLPackageName } from './acquireOpenSSL';
import pkgJson from '../package.json' with { type: "json" };
import { getOpenSSLPackagePath, getOpenSSLPackageName } from './acquireOpenSSL.mjs';

const s3 = new aws.S3();

const uploadBinaryToS3 = (binaryName, bucketName, pathToFile) =>
const uploadBinaryToS3 = (fileName, bucketName, pathToFile) =>
s3.upload({
Body: fs.createReadStream(pathToFile),
Bucket: bucketName,
Key: binaryName,
Key: fileName,
ACL: "public-read"
}).promise();

export const uploadOpenSSL = async () => {
const binaryName = getOpenSSLPackageName();
const pathToFile = path.join(import.meta.dirname, binaryName);
return uploadBinaryToS3(binaryName, pkgJson.binary.bucket_name, pathToFile);
const packageName = path.basename(getOpenSSLPackageName());
const packagePath = getOpenSSLPackagePath();
console.log(`Uploading ${packagePath} to s3://${pkgJson.binary.bucket_name}/${packageName}`);
return uploadBinaryToS3(packageName, pkgJson.binary.bucket_name, packagePath);
};

if (require.main === module) {
if (process.argv[1] === import.meta.filename) {
uploadOpenSSL().catch((error) => {
console.error('Push to S3 failed: ', error);
process.exit(1);
Expand Down
23 changes: 0 additions & 23 deletions 23 vendor/patches/openssl/001-linux-force_getentropy_dso_lookup.patch
View file
Open in desktop

This file was deleted.

Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.