diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2016-11-07 23:07:08 +0100 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2016-11-07 23:39:01 +0100 |
| commit | bc3c41ce36349ed4ec758c70b48a7059e363043a (patch) | |
| tree | 912d77ea38b4295e58cd1d7dd5ce000781deb48d /guix/download.scm | |
| parent | a00fbe8adfa69babd47f6badc2c3b7ec8da1dc42 (diff) | |
| download | gnu-guix-bc3c41ce36349ed4ec758c70b48a7059e363043a.tar gnu-guix-bc3c41ce36349ed4ec758c70b48a7059e363043a.tar.gz | |
download: Verify TLS certificates unless asked not to.
Fixes <http://bugs.gnu.org/24466>.
Reported by Leo Famulari <leo@famulari.name>.
* guix/build/download.scm (%x509-certificate-directory): New variable.
(make-credendials-with-ca-trust-files, peer-certificate)
(assert-valid-server-certificate, print-tls-certificate-error): New
procedures. Add 'print-tls-certificate-error' as an exception printer
for 'tls-certificate-error'.
(tls-wrap): Add #:verify-certificate? parameter and honor it.
(open-connection-for-uri): Likewise.
(http-fetch): Likewise.
(url-fetch): Likewise.
* guix/download.scm (url-fetch)[builder]: Pass #:verify-certificate? #f.
* guix/scripts/lint.scm (probe-uri): Add case for 'tls-certificate-error'.
(validate-uri): Likewise.
* doc/guix.texi (Invoking guix download): Mention 'SSL_CERT_DIR'.
Diffstat (limited to 'guix/download.scm')
| -rw-r--r-- | guix/download.scm | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/guix/download.scm b/guix/download.scm index 80507f952a..d94051951c 100644 --- a/guix/download.scm +++ b/guix/download.scm @@ -372,7 +372,11 @@ in the store." #:hashes (value-from-environment "guix download hashes") #:content-addressed-mirrors - (primitive-load #$%content-addressed-mirror-file)))))) + (primitive-load #$%content-addressed-mirror-file) + + ;; No need to validate certificates since we know the + ;; hash of the expected result. + #:verify-certificate? #f))))) (let ((uri (and (string? url) (string->uri url)))) (if (or (and (string? url) (not uri)) |