Ludovic Courtès writes: > Hi! > > Marius Bakke skribis: > >> From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Tue, 28 Feb 2017 22:34:29 +0100 >> Subject: [PATCH] pull: Default to HTTPS. >> >> * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a >> search string for certificates. >> * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. >> (guix-pull): Verify against the store path of NSS-CERTS. >> --- >> guix/build/download.scm | 7 +++++-- >> guix/scripts/pull.scm | 8 ++++++-- >> 2 files changed, 11 insertions(+), 4 deletions(-) >> >> diff --git a/guix/build/download.scm b/guix/build/download.scm >> index 203338b52..88da1776f 100644 >> --- a/guix/build/download.scm >> +++ b/guix/build/download.scm >> @@ -342,13 +342,16 @@ way." >> >> (define* (tls-wrap port server #:key (verify-certificate? #t)) >> "Return PORT wrapped in a TLS connection to SERVER. SERVER must be a DNS >> -host name without trailing dot." >> +host name without trailing dot. If VERIFY-CERTIFICATE? is a string, it is >> +assumed to be the search path for TLS certificates passed to gnutls." >> (define (log level str) >> (format (current-error-port) >> "gnutls: [~a|~a] ~a" (getpid) level str)) >> >> (let ((session (make-session connection-end/client)) >> - (ca-certs (%x509-certificate-directory))) >> + (ca-certs (if (string? verify-certificate?) >> + verify-certificate? >> + (%x509-certificate-directory)))) > > Nitpick: I would prefer to use a different argument for the certificate > directory. Something like this: > > (define* (tls-wrap port server #:key (verify-certificate? #t) > (certificate-directory > (%x509-certificate-directory))) > …) > > Also the ‘guix pull’ part should be a separate patch. > > Great work, thank you! Hello! Please see https://debbugs.gnu.org/cgi/bugreport.cgi?bug=25975 ... for the latest version of this patch.