update CI to test against go1.19

[thaJeztah]

- Description for the changelog

[thaJeztah]

FWIW; I saw some failures locally when running some tests. No problems were found in Moby CI, so it could be just a badly written test, or it's a code-path that's not used in Moby.

[thaJeztah]

Same failure in CI;

--- FAIL: TestRenewTLSConfigUpdatesRootOnUnknownAuthError (0.00s)
    config_test.go:645: 
        	Error Trace:	/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/config_test.go:645
        	Error:      	Received unexpected error:
        	            	x509: certificate signed by unknown authority
        	            	error while validating signing CA certificate against roots and intermediates
        	            	github.com/moby/swarmkit/v2/ca.newLocalSigner
        	            		/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/certificates.go:632
        	            	github.com/moby/swarmkit/v2/ca.NewRootCA
        	            		/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/certificates.go:493
        	            	github.com/moby/swarmkit/v2/ca_test.TestRenewTLSConfigUpdatesRootOnUnknownAuthError
        	            		/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/config_test.go:644
        	            	testing.tRunner
        	            		/usr/local/go/src/testing/testing.go:1446
        	            	runtime.goexit
        	            		/usr/local/go/src/runtime/asm_amd64.s:1594
        	Test:       	TestRenewTLSConfigUpdatesRootOnUnknownAuthError

[thaJeztah]

--- FAIL: TestRenewTLSConfigUpdatesRootOnUnknownAuthError (0.01s)
    config_test.go:655: CA0 :
         -----BEGIN CERTIFICATE-----
        MIIBXzCCAQagAwIBAgIUfpRA9wL7mdWauik6D1TBidXUy0owCgYIKoZIzj0EAwIw
        DjEMMAoGA1UEAxMDQ0EwMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
        DjEMMAoGA1UEAxMDQ0EwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz+8tuTkm
        UjTjBwsdgJnGss5ox5k1tN1UBKFg4Q0LRmmNzzhxIJ9aMtDJMU9mt/dqW9vuH4xE
        Rw3ynOR2+AqnFqNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
        HQYDVR0OBBYEFJdKDRuYLizWXelbEz+Kt1ZTQ7u/MAoGCCqGSM49BAMCA0cAMEQC
        IBeRctrhgZWooKGJLTp1UdzF9HHvSkFXhCkYn8rWSRWmAiA5FjrxMHXf01szAYm5
        IQzgJhfe9V16n0gLgR+gQZ2fyw==
        -----END CERTIFICATE-----
        
    config_test.go:656: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000726ba0 Version:3 SerialNumber:+722639006653195417041125068417418380177491413834 Issuer:CN=CA0 Subject:CN=CA0 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191] AuthorityKeyId:[] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
    config_test.go:655: CA1 :
         -----BEGIN CERTIFICATE-----
        MIIBYDCCAQagAwIBAgIUXYVjRTRwVvukRhpmHUnS0Y51JZwwCgYIKoZIzj0EAwIw
        DjEMMAoGA1UEAxMDQ0ExMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
        DjEMMAoGA1UEAxMDQ0ExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE26KDC4MP
        LxBjKCGFkV+QsS/ZGYCkxfccV+XFoG6GBFnGGiKxybcFKQ/V45N2zkUKe8MXl3q+
        AzP9A37th2H5MqNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
        HQYDVR0OBBYEFA4dz9RtrKoYAJyjdQkPbAqkqcmTMAoGCCqGSM49BAMCA0gAMEUC
        IEnEm/ROxx8K4vvEJupb+kiWuWPpkxj2ZkG9XffE6QOiAiEAltKAsxsJQx+/voG7
        Mkjv4bqqkRdm5irq5Ky0POqLJrk=
        -----END CERTIFICATE-----
        
    config_test.go:656: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000727a20 Version:3 SerialNumber:+533910788463515367693985148197052179646950745500 Issuer:CN=CA1 Subject:CN=CA1 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147] AuthorityKeyId:[] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
    config_test.go:665: Intermediate1 :
         -----BEGIN CERTIFICATE-----
        MIIBgDCCASegAwIBAgIUXYVjRTRwVvukRhpmHUnS0Y51JZwwCgYIKoZIzj0EAwIw
        DjEMMAoGA1UEAxMDQ0EwMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
        DjEMMAoGA1UEAxMDQ0ExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE26KDC4MP
        LxBjKCGFkV+QsS/ZGYCkxfccV+XFoG6GBFnGGiKxybcFKQ/V45N2zkUKe8MXl3q+
        AzP9A37th2H5MqNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
        HQYDVR0OBBYEFA4dz9RtrKoYAJyjdQkPbAqkqcmTMB8GA1UdIwQYMBaAFJdKDRuY
        LizWXelbEz+Kt1ZTQ7u/MAoGCCqGSM49BAMCA0cAMEQCIFFC+06WHHDksLIF0R44
        vkc1W3dzxrWXg6slY11O1lOBAiB90yNENKPK58notn3OtLC0z+frbVefbQ0TXfnI
        TRZB1g==
        -----END CERTIFICATE-----
        
    config_test.go:666: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000424040 Version:3 SerialNumber:+533910788463515367693985148197052179646950745500 Issuer:CN=CA0 Subject:CN=CA1 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147]} {Id:2.5.29.35 Critical:false Value:[48 22 128 20 151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147] AuthorityKeyId:[151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
    config_test.go:668: 
        	Error Trace:	/go/src/github.com/docker/swarmkit/ca/config_test.go:668
        	Error:      	Received unexpected error:
        	            	x509: certificate signed by unknown authority
        	            	error while validating signing CA certificate against roots and intermediates
        	            	github.com/moby/swarmkit/v2/ca.newLocalSigner
        	            		/go/src/github.com/docker/swarmkit/ca/certificates.go:632
        	            	github.com/moby/swarmkit/v2/ca.NewRootCA
        	            		/go/src/github.com/docker/swarmkit/ca/certificates.go:493
        	            	github.com/moby/swarmkit/v2/ca_test.TestRenewTLSConfigUpdatesRootOnUnknownAuthError
        	            		/go/src/github.com/docker/swarmkit/ca/config_test.go:667
        	            	testing.tRunner
        	            		/usr/local/go/src/testing/testing.go:1446
        	            	runtime.goexit
        	            		/usr/local/go/src/runtime/asm_amd64.s:1594
        	Test:       	TestRenewTLSConfigUpdatesRootOnUnknownAuthError

[thaJeztah]

Suggestion from Cory; try with GODEBUG=x509sha1=1

[corhere]

Suggestion from Cory; try with GODEBUG=x509sha1=1

Studying the debug output more closely, and the swarmkit source, I now see that won't do anything.

[corhere]

https://go.dev/issue/58792 might be related

[thaJeztah]

That, at a glance, looks very plausible yes (great find!).

[corhere]

    config_test.go:663: rootCert:
    config_test.go:663:   Subject: CN=CA0
    config_test.go:663:   Issuer:  CN=CA0
    config_test.go:663: ----------------
    config_test.go:664: signCert:
    config_test.go:664:   Subject: CN=CA1
    config_test.go:664:   Issuer:  CN=CA1
    config_test.go:664: ----------------
    config_test.go:665: crossSigneds:
    config_test.go:665:   Subject: CN=CA1
    config_test.go:665:   Issuer:  CN=CA0

NewRootCA() asserts that signCert can chain up to rootCert with crossSigneds as the intermediate. signCert is self-signed, so go#58792 is the reason the test is failing on Go 1.19 and above.

To be clear, the behaviour change in Go is a bugfix, not a regression. The test is broken and always has been.

Also, the cross-signed certs have the same serial number as the template cert. While not the cause of the test failures, it's not kosher either to have more than one cert with the same subject and serial.