From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 19:19:04 -0500
Message-ID: <20170301001904.GA11226@jasmine>
References: <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org>
	<87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87inoh660r.fsf@gnu.org>
	<874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine>
	<87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<20170228162919.GA10253@jasmine>
	<87bmtl29wq.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33194)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cirz8-0005tt-Er
	for guix-devel@gnu.org; Tue, 28 Feb 2017 19:19:15 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cirz4-0003SF-Cm
	for guix-devel@gnu.org; Tue, 28 Feb 2017 19:19:14 -0500
Content-Disposition: inline
In-Reply-To: <87bmtl29wq.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org


--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Mar 01, 2017 at 12:05:57AM +0100, Marius Bakke wrote:
> The ISRG trust chain is supported by NSS since 3.26[0] and Firefox 50.
>=20
> [0] https://bugzilla.mozilla.org/show_bug.cgi?id=3D1204656
>=20
> As long as the ISRG chain works with all software in Guix, I don't see a
> reason to include the IdenTrust root and intermediates. I think we
> should not include the retired intermediate certificates however.
>=20
> This tiny chain works for all cases I've tried:
>=20
> cat isrgrootx1.pem letsencryptauthorityx3.pem letsencryptauthorityx4.pem =
> le-certs.pem

I've updated the le-certs Git repo to include this bundle (although I
put the root certificate at the end of the list), and a separate bundle
for the IdenTrust-signed chain.

Let's use the ISRG chain.

> > 2) I'd like at least two other Guix developers to try recreating the
> > repository "from scratch", and to send signed email to this thread
> > saying that they were able to successfully recreate this custom
> > certificate store.
>=20
> I downloaded each certificate independently and ran the provided 'sed'
> command and ended up with the same SHA256 hashes, which are:
>=20
> 139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99  dstroot=
x3.pem
> 3e6cf961c196c63a39bd99e5e34ff42c83669e3d7bcc2e4a0f9c7c7df40d0d7e  isrgroo=
tx1.pem
> 3acb088b1372351a29c23ba51d28442a22e810224f8d009d8e026c470f463d74  le-cert=
s.pem
> f8a8316dcc1f813774e7d7e2f85d7069d8b387c98a81b6073ef9f415be62410e  letsenc=
ryptauthorityx1.pem
> 3f67c48667781f7a7221320ee5b76c353aa4e0f4b2ed24a8a41113e6638f9724  letsenc=
ryptauthorityx2.pem
> 735a28bd5d93161769dd3a5d1d6337f24d1f2662cfe355930c1cffc38cac6a7d  letsenc=
ryptauthorityx3.pem
> 04f703429322d699af9e4d47e558cb696378fa20073700c9309263c448626d00  letsenc=
ryptauthorityx4.pem
> 6c0a324bb803e9d66b8986ea2085bb9d6bdfe33f5c04a03a3f7024f4aa8e7a2d  lets-en=
crypt-x1-cross-signed.pem
> b5791649cc21518a9757d7e1809bc47c5e60edc45c9dddaaf6c060cbe03bcb1d  lets-en=
crypt-x2-cross-signed.pem
> e446c5e9dbef9d09ac9f7027c034602492437a05ff6c40011d7235fca639c79a  lets-en=
crypt-x3-cross-signed.pem
> f524491d9c2966c01ecec75c7803c7169ff46bc5cfd44c396d418cd7053d8015  lets-en=
crypt-x4-cross-signed.pem

Thanks, that matches what I have. One more person, please :)

--VbJkn9YxBvnuCH5J
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli2E3gACgkQJkb6MLrK
fwgVJBAA0Z+Xjsnzp/qDoL9EpV1SO8M51B6xHgclZI+zPvy5C3TqoSp3BVGNVXXP
4NNQaXiC3e2c7OKVX4mzFzmUZjmjprIHrguB+8plPDUjDhshnFVshgCTVzKvDBlA
3dG2zBmqoj9+m0KT9nSKtmHqFdJY4LpzQsXV2B72dTBH6g8puyHevMdSpShx98BN
RmqrlM2zWbjw95uc5HV4LKjXwwDJAiib5aBAjVKzWqdoZOFCyFW9O/jod5HhXxab
zUweQP4loI89dk5X/20ihc1/5ZUDHfpmDKOD8XMUSl4La6Io6pnPdP3s8Uq3ahWx
7/ZqgMC9pgXUytm9ZUaUuYscOj2zw/POcAl85hA/zdKZNGu9biUJu/D428BJM4hD
1c/JhazWnXiVAg7FjsgSVyrJ4cmuIIPtqLQKbKZKfbvZFmdvao+6QR3BjYm2XXeY
s/6q3bcP0S1CqluUVflDMIATnFcTWC/1yhFilVWwIkggkH7ErJbT1GKxtq0UZXeG
JtD18+ujjOo7jApm46EEOXMcE6l48WlOo8LKVnKaHfYbKM4oJmN65sO1nkfD7hHg
w5CVNEknfgmZ8sZOI48jU9oge6i6HBVwkQMLIw9vAiUYo1MyoW3MzwYW3x3zcQAj
CWQ7PAkItedKeYK4pMxJFPMLbJ9tLTwuOmoM4FTaVZfCqsVWEx0=
=FC9n
-----END PGP SIGNATURE-----

--VbJkn9YxBvnuCH5J--