From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: `guix pull` over HTTPS Date: Tue, 28 Feb 2017 22:44:21 +0100 Message-ID: <87h93e0z4a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org> <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87inoh660r.fsf@gnu.org> <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine> <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170228162919.GA10253@jasmine> <87mvd61cxv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44189) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cipZN-0005id-Un for guix-devel@gnu.org; Tue, 28 Feb 2017 16:44:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cipZJ-0007rI-1N for guix-devel@gnu.org; Tue, 28 Feb 2017 16:44:30 -0500 In-Reply-To: <87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" --==-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Marius Bakke writes: >>> I want to bundle a 'le-certs' package with GNU Guix, and change `guix >>> pull` to know to use the le-certs bundle when pulling from >>> %snapshot-url. For other URLs, users will have to take care of it >>> themselves.=20 >> >> This sounds like a better approach. Also, I did not see this email >> before sending the patch! If you package it up, I can look into >> realizing the package in `guix pull` directly. > > I gave this a go using "nss-certs", but can't figure out how to set > SSL_CERT_DIR (or GUIX_TLS_CERTIFICATE_DIRECTORY) in `guix pull`. The > naive approach of setting the variable before calling > "download-to-store" does not work because %x509-certificate-directory > has already been evaluated. > > I wonder what's the best approach here. Parameterizing this and > propagating it all the way down to (tls-wrap) similar to > #:verify-certificate? could work, but seems awkward. Any suggestions? I made it work with the attached hack. It breaks all conventions by allowing #:verify-certificate? to be a search path for certificates. If it wasn't for the implied boolean nature of "#:verify-certificate?" I would be happy with this solution. But I think setting the GUIX_TLS_CERTIFICATE_DIRECTORY environment variable before pulling in (guix download) would be better. --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli17zUACgkQoqBt8qM6 VPqZ6Af/aih3ssRlutbjDrKamRnzgO3AVMUlthwaPeJyCkC+b7flIP+G59EWdmbV D3tkuyoF/Jyz+FmwLY5fL8knxI48bGqTCrDdslRMrIxRWpILubVhfPsLI+SPcoOa mMqR6M8Vx9X82iL2WnRbXRUghgvrrax+SMUn7FyN9B32H3rJ9drm/Ui29Mxh9204 TM0y+lUfxabap658RkYJUTd+aMhKWu6amVDN35ENRSjEDvyi2A1t7EAcH4JNQe/b +lbCwYRjsxA0QROkS3o4zBb3DmLz3FDNSjQmSRbqnR65R+FUTvUlpF2ldQnZboCZ 5KXbmeecSELbJzsjpm2bKCR/urg/vA== =iJih -----END PGP SIGNATURE----- --==-=-=-- --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-pull-Default-to-HTTPS.patch >From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Tue, 28 Feb 2017 22:34:29 +0100 Subject: [PATCH] pull: Default to HTTPS. * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a search string for certificates. * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. (guix-pull): Verify against the store path of NSS-CERTS. --- guix/build/download.scm | 7 +++++-- guix/scripts/pull.scm | 8 ++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/guix/build/download.scm b/guix/build/download.scm index 203338b52..88da1776f 100644 --- a/guix/build/download.scm +++ b/guix/build/download.scm @@ -342,13 +342,16 @@ way." (define* (tls-wrap port server #:key (verify-certificate? #t)) "Return PORT wrapped in a TLS connection to SERVER. SERVER must be a DNS -host name without trailing dot." +host name without trailing dot. If VERIFY-CERTIFICATE? is a string, it is +assumed to be the search path for TLS certificates passed to gnutls." (define (log level str) (format (current-error-port) "gnutls: [~a|~a] ~a" (getpid) level str)) (let ((session (make-session connection-end/client)) - (ca-certs (%x509-certificate-directory))) + (ca-certs (if (string? verify-certificate?) + verify-certificate? + (%x509-certificate-directory)))) ;; Some servers such as 'cloud.github.com' require the client to support ;; the 'SERVER NAME' extension. However, 'set-session-server-name!' is diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index a4824e4fd..402332192 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -30,6 +30,7 @@ #:use-module ((guix build utils) #:select (with-directory-excursion delete-file-recursively)) #:use-module (gnu packages base) + #:use-module ((gnu packages certs) #:select (nss-certs)) #:use-module (gnu packages guile) #:use-module ((gnu packages bootstrap) #:select (%bootstrap-guile)) @@ -45,7 +46,7 @@ (define %snapshot-url ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" - "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" + "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" ) (define-syntax-rule (with-environment-variable variable value body ...) @@ -224,8 +225,11 @@ contained therein." (with-error-handling (let* ((opts (parse-options)) (store (open-connection)) + (certs (string-append (package-output store nss-certs) + "/etc/ssl/certs")) (url (assoc-ref opts 'tarball-url))) - (let ((tarball (download-to-store store url "guix-latest.tar.gz"))) + (let ((tarball (download-to-store store url "guix-latest.tar.gz" + #:verify-certificate? certs))) (unless tarball (leave (_ "failed to download up-to-date source, exiting\n"))) (parameterize ((%guile-for-build -- 2.12.0 --=-=-=--