Use WineHQ stable instead of Ubuntu wine64 for FIPS cross-build

justsmth · justsmth · commit 9359a4376113 · 2026-03-25T19:31:26.000Z
Ubuntu 24.04's wine64 package (Wine 9.0) does not properly execute
.CRT$XCU initializers in DLLs built with clang-cl/lld-link. This
prevents the FIPS power-on self-test from running during the
capture_hash build step, which is a correctness issue — the FIPS
module's integrity guarantee depends on that test executing at load
time.

WineHQ stable (Wine 11.0+) handles .CRT$XCU initializers correctly.
Install it from dl.winehq.org instead of the Ubuntu repos.
diff --git a/.github/workflows/aws-lc-rs.yml b/.github/workflows/aws-lc-rs.yml
@@ -279,11 +279,25 @@ jobs:
           WINEDEBUG: "-all"
           DISPLAY: ""
         run: |
+          set -ex
           # Wine binfmt allows the kernel to transparently run .exe files through
           # Wine. This is needed for the FIPS build, which runs fips_empty_main.exe
           # at build time to capture the integrity hash.
-          sudo apt-get install --assume-yes --no-install-recommends wine64 binfmt-support wine-binfmt
-          sudo update-binfmts --enable wine
+          #
+          # Ubuntu 24.04's wine64 (9.0) does not properly execute .CRT$XCU
+          # initializers in cross-compiled DLLs, which prevents the FIPS
+          # power-on self-test from running. WineHQ stable (11.0+) handles
+          # this correctly.
+          sudo dpkg --add-architecture i386
+          sudo mkdir -pm755 /etc/apt/keyrings
+          sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key
+          sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/noble/winehq-noble.sources
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get install --assume-yes --install-recommends winehq-stable binfmt-support
+          # Register Wine as the interpreter for Windows PE executables
+          if [ ! -f /proc/sys/fs/binfmt_misc/wine ]; then
+            echo ':wine:M::MZ::/usr/bin/wine:' | sudo tee /proc/sys/fs/binfmt_misc/register
+          fi
           wineboot --init
       - name: Build
         working-directory: ./aws-lc-rs
