Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#36246 - [mercurial] SSL Certificate Authority Default Settings

Attached to Project: Arch Linux
Opened by Andrew Freeman (alif) - Monday, 22 July 2013, 19:19 GMT
Last edited by Giovanni Scafora (giovanni) - Sunday, 12 January 2014, 14:09 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Giovanni Scafora (giovanni)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Mercurial should be able to verify signatures by common certificate authorities without per-user configuration. Upstream has confirmed this, but has been sitting on the bug report [HG:3453] for more than a year as a portable solution has not been found.

The Arch Wiki Mercurial entry demonstrates that users are being affected by the bug as they are advised to implement the patch in their local configuration file.


Additional info:
/etc/mercurial/hgrc - does not contain any default SSL settings.

Steps to reproduce:
$ hg clone re2 #...or any other SSL repo with reasonable signatures.
warning: certificate with fingerprint 22:ff:da:a9:55:f4:40:00:5e:1d:b5:7a:93:71:42:55:bd:9f:f3:8a not
verified (check hostfingerprints or web.cacerts config setting)

Proposed solution:
Add a post-install script checking for the optional dependency (of openssl, requisite for python2 thus mercurial) ca-certificates that appends as follows, if so:

echo "### Set trusted certificate authorities\n" >> ${pkgdir}/etc/mercurial/hgrc
echo "[web]" >> ${pkgdir}/etc/mercurial/hgrc
echo "cacerts = /etc/ssl/certs/ca-certificates.crt" >> ${pkgdir}/etc/mercurial/hgrc
This task depends upon

Closed by  Giovanni Scafora (giovanni)
Sunday, 12 January 2014, 14:09 GMT
Reason for closing:  Upstream