Update release/5.x to Open Enclave 0.19.13 (#7124)

achamayou · web-flow · commit 93d1b5cf9ffd · 2025-07-18T19:44:54.000+01:00
diff --git a/.azure-pipelines-release.yml b/.azure-pipelines-release.yml
@@ -8,15 +8,15 @@ pr: none
 resources:
   containers:
     - container: virtual
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
 
     - container: snp
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
 
     - container: sgx
-      image: ghcr.io/microsoft/ccf/ci/sgx:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/sgx:build-18-07-2025
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx -v /lib/modules:/lib/modules:ro
 
 variables:
diff --git a/.github/workflows/bencher.yml b/.github/workflows/bencher.yml
@@ -11,7 +11,7 @@ jobs:
     name: Continuous Benchmarking with Bencher
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
     steps:
       - uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,7 +20,7 @@ jobs:
   checks:
     name: "Format and License Checks"
     runs-on: ubuntu-latest
-    container: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+    container: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 
     steps:
       - run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
@@ -48,7 +48,7 @@ jobs:
             options: --user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx -v /lib/modules:/lib/modules:ro
     runs-on: ${{ matrix.platform.nodes }}
     container:
-      image: ghcr.io/microsoft/ccf/ci/${{ matrix.platform.image }}:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/${{ matrix.platform.image }}:build-18-07-2025
       options: ${{ matrix.platform.options }}
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -25,7 +25,7 @@ jobs:
     # Insufficient space to run on public runner, so use custom pool
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
       options: --user root
 
     permissions:
diff --git a/.github/workflows/long-test.yml b/.github/workflows/long-test.yml
@@ -10,7 +10,7 @@ jobs:
     name: "Scan build"
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 
     steps:
       - uses: actions/checkout@v4
@@ -27,7 +27,7 @@ jobs:
     name: ASAN
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 
     steps:
       - uses: actions/checkout@v4
@@ -69,7 +69,7 @@ jobs:
     name: TSAN
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -80,7 +80,7 @@ jobs:
             cmake_options: -DLVI_MITIGATIONS=ON
     runs-on: ${{ matrix.platform.nodes }}
     container:
-      image: ghcr.io/microsoft/ccf/ci/${{ matrix.platform.image }}:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/${{ matrix.platform.image }}:build-18-07-2025
       options: "--user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro ${{ matrix.platform.container_options }}"
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/tlaplus.yml b/.github/workflows/tlaplus.yml
@@ -23,7 +23,7 @@ jobs:
     name: Model Checking - Consistency
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 
     steps:
       - uses: actions/checkout@v4
@@ -120,7 +120,7 @@ jobs:
     name: Model Checking - Consensus
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 
     steps:
       - uses: actions/checkout@v4
@@ -154,7 +154,7 @@ jobs:
     name: Model Checking With Reconfig - Consensus
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 
     steps:
       - uses: actions/checkout@v4
@@ -209,7 +209,7 @@ jobs:
     name: Trace Validation - Consensus
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+      image: ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 
     steps:
       - uses: actions/checkout@v4
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [5.0.19]
+
+[5.0.19]: https://github.com/microsoft/CCF/releases/tag/5.0.19
+
+### Dependencies
+
+- Updated Open Enclave from 0.19.11 to 0.19.13 (#7124).
+
 ## [5.0.18]
 
 [5.0.18]: https://github.com/microsoft/CCF/releases/tag/5.0.18
@@ -1248,13 +1256,11 @@ Key-Value Store
 #### Certificate(s) Validity Period
 
 - Nodes certificates validity period is no longer hardcoded and must instead be set by operators and renewed by members (#2924):
-
   - The new `node_certificate.initial_validity_days` (defaults to 1 day) configuration entry lets operators set the initial validity period for the node certificate (valid from the current system time).
   - The new `command.start.service_configuration.maximum_node_certificate_validity_days` (defaults to 365 days) configuration entry sets the maximum validity period allowed for node certificates.
   - The new `set_node_certificate_validity` proposal action allows members to renew a node certificate (or `set_all_nodes_certificate_validity` equivalent action to renew _all_ trusted nodes certificates).
 
 - Service certificate validity period is no longer hardcoded and must instead be set by operators and renewed by members (#3363):
-
   - The new `service_certificate_initial_validity_days` (defaults to 1 day) configuration entry lets operators set the initial validity period for the service certificate (valid from the current system time).
   - The new `maximum_service_certificate_validity_days` (defaults to 365 days) configuration entry sets the maximum validity period allowed for service certificate.
   - The new `set_service_certificate_validity` proposal action allows members to renew the service certificate.
@@ -1535,13 +1541,11 @@ Key-Value Store
 #### Certificate(s) Validity Period
 
 - Nodes certificates validity period is no longer hardcoded and must instead be set by operators and renewed by members (#2924):
-
   - The new `node_certificate.initial_validity_days` (defaults to 1 day) configuration entry lets operators set the initial validity period for the node certificate (valid from the current system time).
   - The new `command.start.service_configuration.maximum_node_certificate_validity_days` (defaults to 365 days) configuration entry sets the maximum validity period allowed for node certificates.
   - The new `set_node_certificate_validity` proposal action allows members to renew a node certificate (or `set_all_nodes_certificate_validity` equivalent action to renew _all_ trusted nodes certificates).
 
 - Service certificate validity period is no longer hardcoded and must instead be set by operators and renewed by members (#3363):
-
   - The new `service_certificate_initial_validity_days` (defaults to 1 day) configuration entry lets operators set the initial validity period for the service certificate (valid from the current system time).
   - The new `maximum_service_certificate_validity_days` (defaults to 365 days) configuration entry sets the maximum validity period allowed for service certificate.
   - The new `set_service_certificate_validity` proposal action allows members to renew the service certificate.
@@ -2284,17 +2288,14 @@ The 1.0 release will require minimal changes from this release.
 ### Added
 
 - Experimental
-
   - New CCF nodes can now join from a [snapshot](https://microsoft.github.io/CCF/ccf-0.13.0/operators/start_network.html#resuming-from-existing-snapshot) (#1500, #1532)
   - New KV maps can now be created dynamically in a transaction (#1507, #1528)
 
 - CLI
-
   - Subject Name and Subject Alternative Names for the node certificates can now be passed to cchost using the --sn and --san CLI switches (#1537)
   - Signature and ledger splitting [flags](https://microsoft.github.io/CCF/ccf-0.13.0/operators/start_network.html#signature-interval) have been renamed more accurately (#1534)
 
 - Governance
-
   - `user_data` can be set at user creation, as well as later (#1488)
 
 - Javascript
diff --git a/cmake/cpack_settings.cmake b/cmake/cpack_settings.cmake
@@ -24,7 +24,7 @@ message(STATUS "Debian package version: ${CPACK_DEBIAN_PACKAGE_VERSION}")
 set(CCF_DEB_BASE_DEPENDENCIES "libuv1 (>= 1.34.2);openssl (>=1.1.1f)")
 set(CCF_DEB_DEPENDENCIES ${CCF_DEB_BASE_DEPENDENCIES})
 
-set(OE_VERSION "0.19.11")
+set(OE_VERSION "0.19.13")
 if(COMPILE_TARGET STREQUAL "sgx")
   list(APPEND CCF_DEB_DEPENDENCIES
        "libc++1-11;libc++abi1-11;open-enclave (>=${OE_VERSION})"
diff --git a/cmake/open_enclave.cmake b/cmake/open_enclave.cmake
@@ -13,7 +13,7 @@ if(REQUIRE_OPENENCLAVE)
   endif()
 
   # Find OpenEnclave package
-  find_package(OpenEnclave 0.19.11 CONFIG REQUIRED)
+  find_package(OpenEnclave 0.19.13 CONFIG REQUIRED)
 
   option(USE_OPENSSL_3 "Use OpenSSL 3.x for Open Enclave builds" ON)
   if(USE_OPENSSL_3)
diff --git a/docker/ccf_caci_ci b/docker/ccf_caci_ci
@@ -1,4 +1,4 @@
-FROM ghcr.io/microsoft/ccf/ci/default:build-21-05-2025
+FROM ghcr.io/microsoft/ccf/ci/default:build-18-07-2025
 ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
 ENV RUNNER_ALLOW_RUNASROOT=true
 
diff --git a/getting_started/setup_vm/roles/openenclave/vars/common.yml b/getting_started/setup_vm/roles/openenclave/vars/common.yml
@@ -1,6 +1,6 @@
-oe_ver: "0.19.11"
+oe_ver: "0.19.13"
 # Usually the same, except for rc, where ver is -rc and ver_ is _rc
-oe_ver_: "0.19.11"
+oe_ver_: "0.19.13"
 
 # Source install
 workspace: "/tmp/"
diff --git a/tests/requirements.txt b/tests/requirements.txt
@@ -2,7 +2,7 @@ wheel
 paramiko
 loguru
 psutil
-openapi-spec-validator
+openapi-spec-validator == 0.7.1
 PyJWT
 docutils
 python-iptables
