From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#36363: let's encrypt hash mismatch Date: Mon, 22 Jul 2019 12:34:05 +0200 Message-ID: <87tvbe2w9u.fsf@gnu.org> References: <20190624192302.0eccdd72@tachikoma.lepiller.eu> <874l4e4ufg.fsf@gnu.org> <87y30rugme.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:35974) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hpVer-0003zO-HA for bug-guix@gnu.org; Mon, 22 Jul 2019 06:35:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hpVeq-0006Li-B9 for bug-guix@gnu.org; Mon, 22 Jul 2019 06:35:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51176) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hpVeq-0006LU-7P for bug-guix@gnu.org; Mon, 22 Jul 2019 06:35:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hpVeo-0008WR-ED for bug-guix@gnu.org; Mon, 22 Jul 2019 06:35:04 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87y30rugme.fsf@gmail.com> (Chris Marusich's message of "Sun, 21 Jul 2019 16:12:25 -0700") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Chris Marusich Cc: 36363@debbugs.gnu.org Hi Chris, Chris Marusich skribis: > Ludovic Court=C3=A8s writes: > >> Julien Lepiller skribis: >> >>> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y >>> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac >>> hash mismatch for store item >>> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build >> >> I believe you=E2=80=99d be fine if substitutes were enabled, but they=E2= =80=99re not. >> >> In the meantime, you can fetch those files with something like: >> >> wget -O /tmp/isrgrootx1.pem \ >> http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x= 52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y >> guix download file:///tmp/isrgrootx1.pem >> >> But yeah, like Tobias writes, it=E2=80=99s a bit of a problem. Should w= e mirror >> them somewhere? Does Let=E2=80=99s Encrypt have them under a versioned = URL >> elsewhere? > > What is Guix using these files for? I realize it's got something to do > with TLS, but it isn't clear to me why Guix downloads these certs. This is used by (guix scripts pull) so we can always authenticate git.savannah.gnu.org when we fetch from the Git repo. It=E2=80=99s used if= and only if certificates aren=E2=80=99t available system-wide (see =E2=80=98honor-x509-certificates=E2=80=99.) Ludo=E2=80=99.