From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: bug#36363: let's encrypt hash mismatch Date: Sun, 21 Jul 2019 16:12:25 -0700 Message-ID: <87y30rugme.fsf@gmail.com> References: <20190624192302.0eccdd72@tachikoma.lepiller.eu> <874l4e4ufg.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:57794) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hpL0p-0002AH-Jp for bug-guix@gnu.org; Sun, 21 Jul 2019 19:13:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hpL0o-0007RA-E3 for bug-guix@gnu.org; Sun, 21 Jul 2019 19:13:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:50854) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hpL0o-0007R0-As for bug-guix@gnu.org; Sun, 21 Jul 2019 19:13:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hpL0o-00082Q-4h for bug-guix@gnu.org; Sun, 21 Jul 2019 19:13:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <874l4e4ufg.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Mon, 24 Jun 2019 22:09:23 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 36363@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Julien Lepiller skribis: > >> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y >> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac >> hash mismatch for store item >> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build > > I believe you=E2=80=99d be fine if substitutes were enabled, but they=E2= =80=99re not. > > In the meantime, you can fetch those files with something like: > > wget -O /tmp/isrgrootx1.pem \ > http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x5= 2xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y > guix download file:///tmp/isrgrootx1.pem > > But yeah, like Tobias writes, it=E2=80=99s a bit of a problem. Should we= mirror > them somewhere? Does Let=E2=80=99s Encrypt have them under a versioned U= RL > elsewhere? What is Guix using these files for? I realize it's got something to do with TLS, but it isn't clear to me why Guix downloads these certs. I don't have the full context, so please forgive me if my comments are unhelpful, but before deciding to use stale versions, I think it's worth asking, "Could using a stale version introduce any security risk?" Maybe there's a reason why LE doesn't publish the old versions. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl008VkACgkQ3UCaFdgi Rp2GNxAA0qvrADUFzZq1uMo9cV6oPXrNk+ujIWV5Cy2/O4CHQGJdguZUkARmg/bW BIxBTpCbZYNfwta0GfbruZWY22ukpRRTJYHpROUmYJFTrYmcC+Hb//J4jK3KYAGc WI38xcOblUTqIu3z4RebWo8/BzmR2Sf6RMOO6fyDuAHmDD4ifwMZaXbbWHpff5Qp ow+GguKurhC4ieknVN+kAHOdmPI39XZ9g+tPWsTVmWQ3Y7wqo4eBQkb0USI2aSM4 gQXeAZzc8cfvek1MWaw+KiJ4HLtYpu1FFJ9Jqic11jfY5DMtdva110+NKBPr0Y5C 5BRBOgRfGvbfO0HRa4Bt6R7QeiaqyKza01vS3vStIrp4gtkLH/NlDU5d5+OSP1wF 4PCDHb1cooKxumNr4lDc+t6RRIF3joHjEV+ZNaV+MtLSnLR3TJSx+GtnWPindAoo FQ+HWBFAo41WCMBvjkffFy26z4WfW7JqtEhMvkkNXcs/GONSS9rwwIoyG9+THI/a Kr+Vi4MswDi2wJAtayC/0LAgYE9k6ItJGIOeXjXNd10Y9fDqPwDCNP3SKrhxbB4L Q70+x6yBpjlgzo3JE2WG5glcT+j+S50F18XhVfdJ4wHsHYxceKfzo8U4edSwW3df IzBKjoCSgCML9vMXbe0/5Ndxtw1r9zV3b/gTX04uCSC3V88NHNc= =Jh12 -----END PGP SIGNATURE----- --=-=-=--