unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 19:19:04 -0500	[thread overview]
Message-ID: <20170301001904.GA11226@jasmine> (raw)
In-Reply-To: <87bmtl29wq.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>

[-- Attachment #1: Type: text/plain, Size: 2270 bytes --]

On Wed, Mar 01, 2017 at 12:05:57AM +0100, Marius Bakke wrote:
> The ISRG trust chain is supported by NSS since 3.26[0] and Firefox 50.
> 
> [0] https://bugzilla.mozilla.org/show_bug.cgi?id=1204656
> 
> As long as the ISRG chain works with all software in Guix, I don't see a
> reason to include the IdenTrust root and intermediates. I think we
> should not include the retired intermediate certificates however.
> 
> This tiny chain works for all cases I've tried:
> 
> cat isrgrootx1.pem letsencryptauthorityx3.pem letsencryptauthorityx4.pem > le-certs.pem

I've updated the le-certs Git repo to include this bundle (although I
put the root certificate at the end of the list), and a separate bundle
for the IdenTrust-signed chain.

Let's use the ISRG chain.

> > 2) I'd like at least two other Guix developers to try recreating the
> > repository "from scratch", and to send signed email to this thread
> > saying that they were able to successfully recreate this custom
> > certificate store.
> 
> I downloaded each certificate independently and ran the provided 'sed'
> command and ended up with the same SHA256 hashes, which are:
> 
> 139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99  dstrootx3.pem
> 3e6cf961c196c63a39bd99e5e34ff42c83669e3d7bcc2e4a0f9c7c7df40d0d7e  isrgrootx1.pem
> 3acb088b1372351a29c23ba51d28442a22e810224f8d009d8e026c470f463d74  le-certs.pem
> f8a8316dcc1f813774e7d7e2f85d7069d8b387c98a81b6073ef9f415be62410e  letsencryptauthorityx1.pem
> 3f67c48667781f7a7221320ee5b76c353aa4e0f4b2ed24a8a41113e6638f9724  letsencryptauthorityx2.pem
> 735a28bd5d93161769dd3a5d1d6337f24d1f2662cfe355930c1cffc38cac6a7d  letsencryptauthorityx3.pem
> 04f703429322d699af9e4d47e558cb696378fa20073700c9309263c448626d00  letsencryptauthorityx4.pem
> 6c0a324bb803e9d66b8986ea2085bb9d6bdfe33f5c04a03a3f7024f4aa8e7a2d  lets-encrypt-x1-cross-signed.pem
> b5791649cc21518a9757d7e1809bc47c5e60edc45c9dddaaf6c060cbe03bcb1d  lets-encrypt-x2-cross-signed.pem
> e446c5e9dbef9d09ac9f7027c034602492437a05ff6c40011d7235fca639c79a  lets-encrypt-x3-cross-signed.pem
> f524491d9c2966c01ecec75c7803c7169ff46bc5cfd44c396d418cd7053d8015  lets-encrypt-x4-cross-signed.pem

Thanks, that matches what I have. One more person, please :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2017-03-01  0:19 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-09 15:55 `guix pull` over HTTPS Leo Famulari
2017-02-10  0:30 ` Leo Famulari
2017-02-10 15:33   ` Ludovic Courtès
2017-02-10 16:22     ` Marius Bakke
2017-02-10 22:21       ` Ludovic Courtès
2017-02-10 22:43         ` Marius Bakke
2017-02-10 22:52           ` ng0
2017-02-11 14:28           ` Ludovic Courtès
2017-02-11 19:25             ` Leo Famulari
2017-02-11 19:48               ` Ricardo Wurmus
2017-02-12 13:36                 ` Ludovic Courtès
2017-02-28  5:46             ` Leo Famulari
2017-02-28 14:59               ` Marius Bakke
2017-02-28 16:29                 ` Leo Famulari
2017-02-28 16:45                   ` Marius Bakke
2017-02-28 20:44                     ` Marius Bakke
2017-02-28 21:44                       ` Marius Bakke
2017-02-28 21:54                         ` Marius Bakke
2017-03-01  2:36                           ` Marius Bakke
2017-03-01  5:14                             ` Leo Famulari
2017-03-01 21:20                               ` [PATCH v3] pull: Default to HTTPS Marius Bakke
2017-03-01 22:07                                 ` Leo Famulari
2017-03-01 21:21                               ` `guix pull` over HTTPS Marius Bakke
2017-03-06 10:04                               ` Ludovic Courtès
2017-03-06 10:06                         ` Ludovic Courtès
2017-03-06 12:27                           ` Marius Bakke
2017-02-28 23:05                   ` Marius Bakke
2017-03-01  0:19                     ` Leo Famulari [this message]
2017-02-28 16:39                 ` [PATCH] pull: Use HTTPS by default Marius Bakke
2017-03-01  1:01                   ` Leo Famulari
2017-02-10 18:55   ` `guix pull` over HTTPS Christopher Allan Webber
2017-02-10 15:29 ` Ludovic Courtès
2017-02-13 21:23 ` Bob Proulx

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170301001904.GA11226@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    --cc=mbakke@fastmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).