From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: `guix pull` over HTTPS Date: Tue, 28 Feb 2017 00:46:16 -0500 Message-ID: <20170228054616.GA28504@jasmine> References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org> <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87inoh660r.fsf@gnu.org> <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60427) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciacE-0006W8-Hy for guix-devel@gnu.org; Tue, 28 Feb 2017 00:46:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciacA-0000vN-2P for guix-devel@gnu.org; Tue, 28 Feb 2017 00:46:26 -0500 Content-Disposition: inline In-Reply-To: <871sv44x97.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Court=E8s wrote: > Marius Bakke skribis: > > I think having a separate 'le-certs' package that can verify the Lets > > Encrypt chain sounds like the easiest option. Presumably new > > intermediates etc will be known well in advance. >=20 > That sounds more reasonable to me. Do you know what it would take to > get the whole LE chain in such a package? Would you like to give it a > try? I tried it. The next intermediate (also called the "backup") is already known. I've made it available here: https://github.com/lfam/le-certs You can try it out: $ echo | openssl s_client -CAfile /tmp/le-certs/le-certs.pem -CApath /tmp/l= e-certs -connect git.savannah.gnu.org:443 Your feedback is requested! --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli1DqcACgkQJkb6MLrK fwhH+w/7B2/zGeQbbzQ2XzFfx5YksX6US8Zf0vtxVIGyUP3kBEClXHcWqv/PTFhn l7ybhFRWLQF9ULinNa81hfYeKhtVRHeP+nxJtzjZcjd96UUmKT1jOxTCLcXzN9FD 5rY1ywNVDkd/BV6rSbnUslEdn7jAZx3PS2wxRdHmJB60cjD5UTDdgFdwcKwkPNo9 WdNUM7oPOBgv7ph6gLjzWZuMoDVM7ExqZAZ7TBpEcx9SniSvuNBCKGrccp7ILFQ9 cX3uLB/YV0LSAN9x+S8KitG3Q57zD6ZDFn4vlwCqLYlpTglLuaDedf6v/k0B6Anj 0i8Y8dIXKWWQarHFqQVF+29CCsWVHm4nj50TqUrC6HPz2xFCerpWM68ufIID1Nlv wcXOkJQj1u6P3Qy8BtQLkvYVhiilhir5Hm0lsDdewL5+cSHDch1qt2KQyYzJeqgK s6fGKZjA1KHj949iG44raCv21y4VbHqtvuSeVFqzAfs86F2PwlOEngUDGzAibSMX WQ4BElu2iGjpVFJKTJWnEkeKs+Dq4GVB/s8KPM281NrMvBVK8H0eSrCwrvGI7VL4 4ja/9x0W+hefjWkMDHALaZFaSIw7V7OLN8Jia8IKiDUi3KbgNon9x37jmHuzdHtc j8H5nVRylwAgrvUYfa7zM9nFrRZu/ZgME7BZWg35+9VOaichTAA= =hs90 -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb--