JAVA-6187 Upgrade libcrypt version to 1.18.1#1983
Conversation
strogiyotec
requested review from
Copilot,
rozza and
vbabanin
and removed request for
rozza
There was a problem hiding this comment.
Pull request overview
Updates the mongodb-crypt module’s bundled libmongocrypt native library download process to use libmongocrypt’s 1.18.1 GitHub release assets (instead of S3) and adds GPG signature verification of the downloaded tarballs.
Changes:
- Bump libmongocrypt download revision to
1.18.1and switch download base URL to GitHub releases. - Download per-platform tarballs (+
.ascsignatures) and extract only the needed native library into the JNA resources directory. - Add a Gradle task that verifies tarball signatures via
gpg, with an opt-out via-PskipCryptVerify=true.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rozza
left a comment
rozza
left a comment
There was a problem hiding this comment.
Like this. Couple of optional suggestions.
You may want to change the task names downloadJava no longer makes sense as it used to be the java tarball. For example: downloadCryptLibs, verifyCryptLibs and extractCryptLibs make more sense now than downloadJava, verifyJava and unzipJava.
One gripe from the existing implementation, you might want to make downloading optional eg:
overwrite(false)
onlyIf { !file("$jnaDownloadsDir/${platform.tarballName}.tar.gz").exists() }
That way it would work without having to check if modified and offline. Also we can bypass this all if jnaLibsPath is set.
- Add key fingerprint validation after import to detect key substitution
- Add verification stamp output file for proper Gradle up-to-date checks
- Remove outputs.upToDateWhen { false } (inputs already track changes)
- Use --no-autostart to prevent gpg-agent launch; remove kill cleanup
- Surface GPG stderr in exception message on verification failure
- Switch extractCryptLibs from Copy to Sync (handles stale files)
- Fix processResources: dependsOn instead of mustRunAfter
- Fix missing path separator in jnaLibsPath construction
- Suppress noisy gpg/download output; use logger.lifecycle
- Add tasks.clean rule for rootProject build/jnaLibs directory
- Remove dead onlyIfModified(true) (no effect with overwrite=false)
JAVA-6187
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
Looks good overall. @rozza, I like this update to tighten the verification. Just one comment: #1983 (comment) LGTM after that. |
JAVA-6187
Upgrading libcrypt version to 1.18.1
Also the artifact location got changed from s3 to github
Risks
This PR assumes there is
gpginstalled that might not be a case in WindowsResolution of risks
There is a new flag
-PskipCryptVerify=truethat will skipgpgverificationWarnings (not applicable, I passed --quite as suggested by Ross)
If you run
./gradlew :mongodb-crypt:downloadJnaLiblocally it will give a few warningsThe reason is because gpg doesn't know if the key is trusted as we arbitrary downloaded it
Running the same command using shell will give the same output
