From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YPQPGSMGdGAzVAAAgWs5BA (envelope-from ) for ; Mon, 12 Apr 2021 10:34:43 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id GM7oEiMGdGAUAgAAbx9fmQ (envelope-from ) for ; Mon, 12 Apr 2021 08:34:43 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 76A58155AE for ; Mon, 12 Apr 2021 10:34:42 +0200 (CEST) Received: from localhost ([::1]:39582 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lVs1o-0005bL-RG for larch@yhetil.org; Mon, 12 Apr 2021 04:34:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33518) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lVryI-0002u4-JU for bug-guix@gnu.org; Mon, 12 Apr 2021 04:31:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:44824) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lVryI-0004BX-3E for bug-guix@gnu.org; Mon, 12 Apr 2021 04:31:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lVryH-0002QU-Va for bug-guix@gnu.org; Mon, 12 Apr 2021 04:31:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#46829: Fresh install of 1.2.0 can't guix pull Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 12 Apr 2021 08:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46829 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 46829-submit@debbugs.gnu.org id=B46829.16182162317603 (code B ref 46829); Mon, 12 Apr 2021 08:31:01 +0000 Received: (at 46829) by debbugs.gnu.org; 12 Apr 2021 08:30:31 +0000 Received: from localhost ([127.0.0.1]:56370 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lVrxY-0001kX-DM for submit@debbugs.gnu.org; Mon, 12 Apr 2021 04:30:31 -0400 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:42185) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lVrxW-0001bP-HF for 46829@debbugs.gnu.org; Mon, 12 Apr 2021 04:30:15 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 490EDFE1; Mon, 12 Apr 2021 04:30:07 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 12 Apr 2021 04:30:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=9/s84oxMYDtQt0oNgSZLJkz8 NzqC8osueRQ96aBKWwY=; b=FszGPGR+xK4UYxxmAnkTL3G1DlIOcpSQ40jW+bne vhYeEY4tHQazSht4ZGKT8c373fVbHmcX3RtlToNLAbhyByLakmin7NYb5YcOiTl7 Dt/73zwgVmAMUeYDo8wOkLdYx59jWU3L1086tk7yc94uXenPyZ50nmKpX+kjylSa jTc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=9/s84o xMYDtQt0oNgSZLJkz8NzqC8osueRQ96aBKWwY=; b=K7okIUnH77AZmXyFEBBd3o a3s9KFLvPlPc2Cg5YxjUY/cNskiuBGA0lcJbDENN7ExmFd74MHaMwNLGmeEJz7zn TTxgRZ+ZoXbCr72OdNdmiTdomTuQvU13DORYyq+F44uoQx+maztPkwevxnndkEFe +GJufwh+06HsvkduAE+yhTp+aq3rUm9A8olum3/PsJv0UdXggsTrytI6IxAFjH0E oDKGscLBuyVcqjqnYv7c3ND94JG4vuLuU/bpMEh+NW0yxBDzadNf19B9BOBmKMYt 1eS9ayIjbjphMjyio8YQ1mewqSL9v715Do3O8ZxFkdzQOjuL1MkGlW4DjA/eMnIQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekjedgtdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff teenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 305771080063; Mon, 12 Apr 2021 04:30:06 -0400 (EDT) Date: Mon, 12 Apr 2021 04:30:04 -0400 From: Leo Famulari Message-ID: References: <871rd0ebd5.fsf@cbaines.net> <877dmrtbvn.fsf@gnu.org> <877dm54zk3.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="zmq5MP0YTSn+7QnT" Content-Disposition: inline In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 46829@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618216482; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=9/s84oxMYDtQt0oNgSZLJkz8NzqC8osueRQ96aBKWwY=; b=Hl1Y9VVTpxro3Ll+cJrP+TsJVw/HtwnIape2yojt2C+tLPGtCpsEuzy25J8KPp0+5t3K3X BHWpbXb4DXCG9R5GvME49kjOatgS9q27UeFMRoRY0C1h/iaeu/elPNOe0SxE8n3+khgPRP dMt53kPYrVLAYgmuvaI71fd6bIIv9AqfZILcybJ6xBXafq9sfNAc1WdZIvSjtZ/V8q6zEV 8LLqq4YEmKnVkxwaMs0woYn4d8/UM6wqCOOPbOPXqCrzxxw+5sRlBA1yLKe0w8C5mn1f3W qo8fF0Z3vkeI8qsosM839/65zvDa78gesxf9/8M+Au9edckwZWAnk8pA0ltImQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618216482; a=rsa-sha256; cv=none; b=GTH1a4Fd83Z+Qsg1/MohRbe/wP228uzWKLImMWVzjIkLYm/sT0MKVcQAJkv+lE6L+CQotB 2szlnE9sd0SgtslqXrEu0S2hpaQJ3hK5P0fXkvVTs8DjutHFCqpogJ9Waw3lShe1ACZqKc tsV1XpkgKooky3wl0iAWTuQm9KfN4YANkPoNNgLMV1oEQPRLlHvu2KOVpMPuL/om6oQF9L MCGrBTAazuPsj3uD21eY78NqNPoJmgJHc5ucmZ6gTg9++/fVrkdD26agQU5bdtrpYmhWTC H29G75FbgvBUYCZA2FuIQEpaZZGd9FCEt+HH5v27XzAzO660+MW8jPuWPmKQ1A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=FszGPGR+; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=K7okIUnH; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.54 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=FszGPGR+; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=K7okIUnH; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 76A58155AE X-Spam-Score: -3.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: je6+XyMvQ/8R --zmq5MP0YTSn+7QnT Content-Type: multipart/mixed; boundary="HL+UgvezEOi1xza6" Content-Disposition: inline --HL+UgvezEOi1xza6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Apr 12, 2021 at 02:42:07AM -0400, Leo Famulari wrote: > I checked wrong; le-certs needs to be updated. I'm testing the update > now... I couldn't figure out how to test an update of the Guix package, but here is my patch updating le-certs. `make update-guix-package` segfaults for me, sometime after it updates the source tree but before adding the source checkout to the store. I did `guix build guix --with-git-url=guix=$PWD`, which succeeded, but using --with-git-url changes the derivation, so I couldn't test this in a VM sans nss-certs. --HL+UgvezEOi1xza6 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-le-certs-Update-to-new-Let-s-Encrypt-certificate.patch" Content-Transfer-Encoding: quoted-printable =46rom f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 12 Apr 2021 02:19:33 -0400 Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates. * gnu/packages/certs.scm (le-certs): Update the certificate store. [inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem, letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and letsencryptauthorityx4.pem. [arguments]: Adjust the builder accordingly. --- gnu/packages/certs.scm | 76 ++++++++++++++++++++++++++++++------------ 1 file changed, 55 insertions(+), 21 deletions(-) diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm index b72d927c0d..9dcd733ffe 100644 --- a/gnu/packages/certs.scm +++ b/gnu/packages/certs.scm @@ -147,7 +147,7 @@ taken from the NSS package and thus ultimately from the= Mozilla project.") (define-public le-certs (package (name "le-certs") - (version "0") + (version "1") (source #f) (build-system trivial-build-system) (arguments @@ -155,9 +155,12 @@ taken from the NSS package and thus ultimately from th= e Mozilla project.") #:builder (begin (use-modules (guix build utils)) - (let ((root (assoc-ref %build-inputs "isrgrootx1.pem")) - (intermediate (assoc-ref %build-inputs "letsencryptauthorit= yx3.pem")) - (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pe= m")) + (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem")) + (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem")) + (intermediate-rsa (assoc-ref %build-inputs "letsencryptauth= orityr3.pem")) + (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptau= thoritye1.pem")) + (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr= 4.pem")) + (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthorit= ye2.pem")) (out (string-append (assoc-ref %outputs "out") "/etc/ssl/ce= rts")) (openssl (assoc-ref %build-inputs "openssl")) (perl (assoc-ref %build-inputs "perl"))) @@ -166,7 +169,9 @@ taken from the NSS package and thus ultimately from the= Mozilla project.") (lambda (cert) (copy-file cert (string-append out "/" (strip-store-file-name cert)= ))) - (list root intermediate backup)) + (list root-rsa root-ecdsa + intermediate-rsa intermediate-ecdsa + backup-rsa backup-ecdsa)) =20 ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and ;; similar.) @@ -186,26 +191,55 @@ taken from the NSS package and thus ultimately from t= he Mozilla project.") (sha256 (base32 "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92")))) - ;; "Let=E2=80=99s Encrypt Authority X3", the active Let's Encrypt i= ntermediate - ;; certificate. - ("letsencryptauthorityx3.pem" + ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2" + ; Let's Encrypt describes it as "Active, limited availability" + ("isrgrootx2.pem" ,(origin (method url-fetch) - (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem") + (uri "https://letsencrypt.org/certs/isrg-root-x2.pem") (sha256 (base32 - "100lxxvqv4fj563bm03zzk5r36hq5jx9nnrajzs38g825c5k0cg2")))) - ;; "Let=E2=80=99s Encrypt Authority X4", the backup Let's Encrypt i= ntermediate - ;; certificate. This will be used for disaster recovery and will o= nly be - ;; used should Let's Encrypt lose the ability to issue with "Let=E2= =80=99s - ;; Encrypt Authority X3". - ("letsencryptauthorityx4.pem" - ,(origin - (method url-fetch) - (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem") - (sha256 - (base32 - "0d5256gwf73drq6q6jala28rfzhrgbk5pjfq27vc40ly91pdyh8m")))))) + "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1")))) + ;; "Let=E2=80=99s Encrypt Authority R3", the active Let's Encrypt in= termediate + ;; RSA certificate. + ("letsencryptauthorityr3.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem") + (sha256 + (base32 + "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp")))) + ;; "Let=E2=80=99s Encrypt Authority E1", the active Let's Encrypt in= termediate + ;; ECDSA certificate. + ("letsencryptauthoritye1.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem") + (sha256 + (base32 + "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0")))) + ;; "Let=E2=80=99s Encrypt Authority R4", the backup Let's Encrypt in= termediate + ;; RSA certificate. This will be used for disaster recovery and wil= l only be + ;; used should Let's Encrypt lose the ability to issue with "Let=E2= =80=99s + ;; Encrypt Authority R3". + ("letsencryptauthorityr4.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem") + (sha256 + (base32 + "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8")))) + ;; "Let=E2=80=99s Encrypt Authority E2", the backup Let's Encrypt in= termediate + ;; ECDSA certificate. This will be used for disaster recovery and w= ill + ;; only be used should Let's Encrypt lose the ability to issue with = "Let=E2=80=99s + ;; Encrypt Authority E1". + ("letsencryptauthoritye2.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem") + (sha256 + (base32 + "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml")))))) (home-page "https://letsencrypt.org/certificates/") (synopsis "Let's Encrypt root and intermediate certificates") (description "This package provides a certificate store containing onl= y the --=20 2.31.1 --HL+UgvezEOi1xza6-- --zmq5MP0YTSn+7QnT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmB0BQgACgkQJkb6MLrK fwhNAw/9EYzBZ6zQc+zbIUvaR9agVJLJp+lqxy7uJBx7e0hTaCZWo8mXLMLLejF/ YlRkgmplAp+80whDoVByB7N7YjF1Qa8hDRsrVy7LwAFtUdCOGEOKkGmsfVVN7JoY 27tOXTf/kSM9x5GrFxT1koiGxVW3Jrp2wXlfs3ctLVR1fueIHGT7mEwYkBrvtRJ9 WT8wCbXScsqWXmeDx+wJDcxEJEC2fnOx4SVA91x3W9zaL8UtQ3qe2+83Iy5K0Brs qhR5HMFrS++GQ2zGly+rBwEAEdtXtfTak7NHTlXc4PYkERTnjkjN/y9s+xJIr9Zc o9f4J8NoSpDevxj1ifbsFOL+VzSKw8QTWt+7TGepAbjMd4361VAP0ScsL1yIMiNf TcAiNIh4kUwQxtEfjGwI69TuIInnFALgz/5x6tPmb4m45SNfvJGTsr+mvzMrPYnI AYSfRMBzQHBJLWry10XRY97tHEde88U4qmvObnSRnBpwG9LmlvXUkk0zbVC9WhXg dR8W9Ye9joADDC1n1gkW9+O1KeQwyrnPeNzK+PZrwqCxUBPHU3OBYrEPhSBYTugs aD8uyMVZECi2Ia2jTqjrL1c6aygoOu7A3KyrJUSpS6ZgMSHQ4HnOATRlgeTCziyO 41qvaP4KEYD00aeR+JOSFx25OHnjZ/wgsLnibNQnP0AQ/saX22E= =Gnic -----END PGP SIGNATURE----- --zmq5MP0YTSn+7QnT--