Arch Linux

Description:
Mercurial should be able to verify signatures by common certificate authorities without per-user configuration. Upstream has confirmed this, but has been sitting on the bug report [HG:3453] for more than a year as a portable solution has not been found.

The Arch Wiki Mercurial entry demonstrates that users are being affected by the bug as they are advised to implement the patch in their local configuration file.

[HG:3453] http://bz.selenic.com/show_bug.cgi?id=3453

Additional info:
/etc/mercurial/hgrc - does not contain any default SSL settings.


Steps to reproduce:
$ hg clone https://re2.googlecode.com/hg re2 #...or any other SSL repo with reasonable signatures.
warning: re2.googlecode.com certificate with fingerprint 22:ff:da:a9:55:f4:40:00:5e:1d:b5:7a:93:71:42:55:bd:9f:f3:8a not
verified (check hostfingerprints or web.cacerts config setting)
...

Proposed solution:
Add a post-install script checking for the optional dependency (of openssl, requisite for python2 thus mercurial) ca-certificates that appends as follows, if so:

echo "### Set trusted certificate authorities\n" >> ${pkgdir}/etc/mercurial/hgrc
echo "[web]" >> ${pkgdir}/etc/mercurial/hgrc
echo "cacerts = /etc/ssl/certs/ca-certificates.crt" >> ${pkgdir}/etc/mercurial/hgrc