Make building runtime easier on RHEL

[vcsjones]

If you follow our workflow instructions on RedHat EL 9 or 10, the build is not going to work. It will fail with something like:

/home/vcsjones/.nuget/packages/microsoft.net.compilers.toolset/5.3.0-1.25619.109/tasks/netcore/Microsoft.CSharp.Core.targets(84,5): \ 
error : Unhandled exception. Interop+Crypto+OpenSslCryptographicException: error:03000098:digital envelope routines::invalid digest [/home/vcsjones/Projects/runtime/src/libraries/System.Private.CoreLib/gen/System.Private.CoreLib.Generators.csproj]

This is because RedHat, and some similar flavors like CentOS Stream disable RSA+SHA-1 digital signature algorithms in their OpenSSL. This algorithm is required for Strong Name signing assemblies.

This can be worked around by passing in FullAssemblySigningSupported=false as a build property, like so:

./build.sh -rc release -s clr+libs /p:FullAssemblySigningSupported=false

But this has a number of drawbacks.

1. This is not documented anywhere in this repository.
2. It needs to be supplied to every-single invocation of dotnet build. Practically that means adding /p:FullAssemblySigningSupported=false everywhere.

I think we can improve this, with some possible options being:

1. At least document FullAssemblySigningSupported is required on certain Linux distributions.
2. Automatically set FullAssemblySigningSupported=false on Linux distributions that require it for local dev environments. I believe we do that for source builds.

Regardless, it seems unfortunate that the runtime build fails in an inscrutable way on RedHat / CentOS. Fedora might be affected as well.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/runtime-infrastructure
See info in area-owners.md if you want to be subscribed.

[MihuBot]

I'm a bot. Here is a possible related and/or duplicate issue (I may be wrong):

• OpenSslCryptographicException: error:03000098:digital envelope routines::invalid digest on CentOS Stream 9 #65874

[jkotas]

It needs to be supplied to every-single invocation of dotnet build

You can set FullAssemblySigningSupported in the environment and then you do not need to worry about it.

Automatically set FullAssemblySigningSupported=false on Linux distributions that require it for local dev environments.

I think we can go even further and disable full signing by default, on non-Windows at least. Full signing is really only needed (and possible) in Microsoft official builds.

[aw0lid]

I'm working on this. I will implement the change to disable full signing by default on non-Windows platforms, as suggested by @jkotas