Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 431220

Summary: mercurial.eclass: `certificate not verified' warning with web.cacerts correctly set
Product: Gentoo Linux Reporter: Casper Ti. Vector <CasperVector>
Component: EclassesAssignee: Christoph Junghans (RETIRED) <junghans>
Status: RESOLVED FIXED    
Severity: normal CC: CasperVector, djc
Priority: Normal Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Casper Ti. Vector 2012-08-13 13:14:08 UTC 
On my computer, any live package using mercurial.eclass produces
> warning: <host> certificate with fingerprint <fingerprint> not verified (check hostfingerprints or web.cacerts config setting)
on emerging, while manual cloning/pulling as root does not.

/etc/mercurial/hgrc is set as advised on <http://mercurial.selenic.com/wiki/CACertificates>:
> [web]
> cacerts = /etc/ssl/certs/ca-certificates.crt


Reproducible: Always

Steps to Reproduce:
1. # emerge '=games-engines/love-9999'
2. # emerge -1 --nodeps '=games-engines/love-9999'
3. # cd /usr/portage/distfiles/hg-src/love/love; git pull
4. # emerge -C games-engines/love; rm -rf /usr/portage/distfiles/hg-src/love/love
5. # cd /usr/portage/distfiles/hg-src/love; git clone https://bitbucket.org/rude/love
Actual Results:  
1. warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)
2. warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting)
3. No warning.
5. No warning.

Expected Results:  
No warning for 1, 2, 3 and 5.
Comment 1 Casper Ti. Vector 2012-08-14 13:39:43 UTC 
s/git/hg/g in my previous post, and sorry for the typo :|
Comment 2 Christoph Junghans (RETIRED) gentoo-dev 2012-12-17 23:39:09 UTC 
mercurial.eclass sets HGRCPATH to be empty, which basically disables any hgrc.

However, I don't understand your problem. You want to get rid of the warning?

We could set HGRCPATH to "/etc/mercurial/hgrc:/etc/mercurial/hgrc.d", but then strange stuff could get inherited from there.

Or we could add "--config web.cacerts=/etc/ssl/certs/ca-certificates.crt" to the command line of pull and clone.
Comment 3 Casper Ti. Vector 2012-12-19 18:06:39 UTC 
Thanks for your explanation.  I was just looking for a way to eliminate the warning, but did not consider issue about inheritance of other settings from the global hgrc.
Comment 4 Christoph Junghans (RETIRED) gentoo-dev 2012-12-19 18:54:08 UTC 
(In reply to comment #3)
> Thanks for your explanation.  I was just looking for a way to eliminate the
> warning, but did not consider issue about inheritance of other settings from
> the global hgrc.
I will add something like "--config web.cacerts=/etc/ssl/certs/ca-certificates.crt" to the options for hg pull/clone in the eclass soon.