[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#36363: let's encrypt hash mismatch
From: |
Ludovic Courtès |
Subject: |
bug#36363: let's encrypt hash mismatch |
Date: |
Mon, 22 Jul 2019 12:34:05 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) |
Hi Chris,
Chris Marusich <address@hidden> skribis:
> Ludovic Courtès <address@hidden> writes:
>
>> Julien Lepiller <address@hidden> skribis:
>>
>>> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>>> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>>> hash mismatch for store item
>>> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
>>
>> I believe you’d be fine if substitutes were enabled, but they’re not.
>>
>> In the meantime, you can fetch those files with something like:
>>
>> wget -O /tmp/isrgrootx1.pem \
>>
>> http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>> guix download file:///tmp/isrgrootx1.pem
>>
>> But yeah, like Tobias writes, it’s a bit of a problem. Should we mirror
>> them somewhere? Does Let’s Encrypt have them under a versioned URL
>> elsewhere?
>
> What is Guix using these files for? I realize it's got something to do
> with TLS, but it isn't clear to me why Guix downloads these certs.
This is used by (guix scripts pull) so we can always authenticate
git.savannah.gnu.org when we fetch from the Git repo. It’s used if and
only if certificates aren’t available system-wide (see
‘honor-x509-certificates’.)
Ludo’.