431220 – mercurial.eclass: `certificate not verified' warning with web.cacerts correctly set

Bug 431220 - mercurial.eclass: `certificate not verified' warning with web.cacerts correctly set

Summary: mercurial.eclass: `certificate not verified' warning with web.cacerts correct...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Eclasses (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Christoph Junghans (RETIRED)

URL:
Whiteboard:
Keywords:	InVCS

Depends on:
Blocks:

Reported:	2012-08-13 13:14 UTC by Casper Ti. Vector
Modified:	2012-12-26 23:10 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Casper Ti. Vector 2012-08-13 13:14:08 UTC

On my computer, any live package using mercurial.eclass produces
> warning: <host> certificate with fingerprint <fingerprint> not verified (check hostfingerprints or web.cacerts config setting)
on emerging, while manual cloning/pulling as root does not.

/etc/mercurial/hgrc is set as advised on <http://mercurial.selenic.com/wiki/CACertificates>:
> [web]
> cacerts = /etc/ssl/certs/ca-certificates.crt


Reproducible: Always

Steps to Reproduce:
1. # emerge '=games-engines/love-9999'
2. # emerge -1 --nodeps '=games-engines/love-9999'
3. # cd /usr/portage/distfiles/hg-src/love/love; git pull
4. # emerge -C games-engines/love; rm -rf /usr/portage/distfiles/hg-src/love/love
5. # cd /usr/portage/distfiles/hg-src/love; git clone https://bitbucket.org/rude/love
Actual Results:  
1. warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)
2. warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)
3. No warning.
5. No warning.

Expected Results:  
No warning for 1, 2, 3 and 5.

Comment 1 Casper Ti. Vector 2012-08-14 13:39:43 UTC

s/git/hg/g in my previous post, and sorry for the typo :|

Comment 2 Christoph Junghans (RETIRED) gentoo-dev

2012-12-17 23:39:09 UTC

mercurial.eclass sets HGRCPATH to be empty, which basically disables any hgrc.

However, I don't understand your problem. You want to get rid of the warning?

We could set HGRCPATH to "/etc/mercurial/hgrc:/etc/mercurial/hgrc.d", but then strange stuff could get inherited from there.

Or we could add "--config web.cacerts=/etc/ssl/certs/ca-certificates.crt" to the command line of pull and clone.

Comment 3 Casper Ti. Vector 2012-12-19 18:06:39 UTC

Thanks for your explanation.  I was just looking for a way to eliminate the warning, but did not consider issue about inheritance of other settings from the global hgrc.

Comment 4 Christoph Junghans (RETIRED) gentoo-dev

2012-12-19 18:54:08 UTC

(In reply to comment #3)
> Thanks for your explanation.  I was just looking for a way to eliminate the
> warning, but did not consider issue about inheritance of other settings from
> the global hgrc.
I will add something like "--config web.cacerts=/etc/ssl/certs/ca-certificates.crt" to the options for hg pull/clone in the eclass soon.