[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
06/06: pull: Use /etc/ssl/certs by default if it exists and is non-empty
|
From: |
Ludovic Courtès |
|
Subject: |
06/06: pull: Use /etc/ssl/certs by default if it exists and is non-empty. |
|
Date: |
Tue, 18 Sep 2018 17:23:59 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix.
commit 20f8d73face564deec2f21130fb465c8c3d9a8e9
Author: Ludovic Courtès <address@hidden>
Date: Tue Sep 18 23:19:18 2018 +0200
pull: Use /etc/ssl/certs by default if it exists and is non-empty.
Previously, on machines where /etc/ssl/certs did exist, we'd have this:
$ unset SSL_CERT_DIR
$ unset SSL_CERT_FILE
$ guix pull
Updating channel 'guix' from Git repository at
'https://git.savannah.gnu.org/git/guix.git'...
guix pull: error: Git error: the SSL certificate is invalid
This is because we'd let OpenSSL look for certificates in its default
location, which is an empty directory in its own prefix.
* guix/scripts/pull.scm (honor-x509-certificates): New procedure.
(guix-pull): Use it instead of calling 'honor-lets-encrypt-certificates!'.
---
guix/scripts/pull.scm | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index 04c8ef6..10e1a99 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -178,6 +178,17 @@ Download and deploy the latest version of Guix.\n"))
(build-derivations store (list drv))
(set-tls-certificate-locations! certs)))
+(define (honor-x509-certificates store)
+ "Use the right X.509 certificates for Git checkouts over HTTPS."
+ (let ((file (getenv "SSL_CERT_FILE"))
+ (directory (or (getenv "SSL_CERT_DIR") "/etc/ssl/certs")))
+ (if (or (and file (file-exists? file))
+ (and=> (stat directory #f)
+ (lambda (st)
+ (> (stat:nlink st) 2))))
+ (set-tls-certificate-locations! directory file)
+ (honor-lets-encrypt-certificates! store))))
+
(define (report-git-error error)
"Report the given Guile-Git error."
;; Prior to Guile-Git commit b6b2760c2fd6dfaa5c0fedb43eeaff06166b3134,
@@ -423,13 +434,7 @@ Use '~/.config/guix/channels.scm' instead."))
(parameterize ((%graft? (assoc-ref opts 'graft?))
(%repository-cache-directory cache))
(set-build-options-from-command-line store opts)
-
- ;; When certificates are already installed, use them.
- ;; Otherwise, use the Let's Encrypt certificates, which we
- ;; know Savannah uses.
- (let ((certs (or (getenv "SSL_CERT_DIR") "/etc/ssl/certs")))
- (unless (file-exists? certs)
- (honor-lets-encrypt-certificates! store)))
+ (honor-x509-certificates store)
(let ((instances (latest-channel-instances store channels)))
(format (current-error-port)
- branch master updated (32b3611 -> 20f8d73), Ludovic Courtès, 2018/09/18
- 01/06: store: Add another missing buffer flush., Ludovic Courtès, 2018/09/18
- 02/06: tests: Skip 'self-contained-tarball' test unconditionally., Ludovic Courtès, 2018/09/18
- 06/06: pull: Use /etc/ssl/certs by default if it exists and is non-empty.,
Ludovic Courtès <=
- 03/06: describe: Work correctly on generation-less profiles., Ludovic Courtès, 2018/09/18
- 04/06: gnu: Add guile-debbugs., Ludovic Courtès, 2018/09/18
- 05/06: pull: Assume 'set-tls-certificate-locations!' is available., Ludovic Courtès, 2018/09/18