From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms13.migadu.com with LMTPS
	id kFcUBJTQWGctUwAA62LTzQ:P1
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 10 Dec 2024 23:36:52 +0000
Received: from aspmx1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id kFcUBJTQWGctUwAA62LTzQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 11 Dec 2024 00:36:52 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="XtMJqY/o";
	dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=opBvRxC2;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1733873812; a=rsa-sha256; cv=none;
	b=X36anTQyBp4IdJjxOFXtcC/IZ0tbUe7Bj438Qg98iT25V1uTLsX/L+lIYTn0rkl+qWMBwG
	VltGyUnQs/Wi7N/6w1sdPenf/MqaYimXaO+iLTFzuHrYoiAxLP4XwQzmoD978l4D2ncBR4
	NNwI4Vf6WPZ48r+XXavIgXaPu0zNbzH/JvB63Mgo2KeUsY8AnBTU99q16PXZweq0joGLQ1
	xFwkzF0HyjOF1GV1QET9OYKBCc8k+RlDdiZKzotX0ME9HXSC/QHNeepgA1aqBe/ELKYIgP
	OaAnPWLjtgNNnskkmkKYanL5CRvMi/9YIhrg/v4L4gWIZPedplPloio//F8DoQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="XtMJqY/o";
	dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=opBvRxC2;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1733873812;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=C12T3M4qjwe2uqZc0ZAenMUCgNo7S1ZYvf3oErX3FTs=;
	b=TuL0Ji8HL94nvmr1Z7DTzqTUlydZ13XpmNTkUaImYe4M23NHaDr+oIzz/7SlnLx+YyvnLi
	aDCtlzYpCPX5ArgXkn/206uDJqN442QPvtlBotBlbB3L1gejsD/19IHRRkOSw5TbDM92no
	WMkRlE9wYFb3TmigBi+TmWYR4r+EA3O811FGm41uan7STGMxIainDGR8jgVM6SNvyNzWxr
	s4QLQnNba3FzH6VP79pX2nHfMO9fJ3TAixD80HEDHh00/RCGNpaXDHUT0wQ+nl+g2rdkpl
	W7UrUdStXlMZL3lBXQUJdg3nTcG9ObmjE5E3TYqg/mC1HAryPozaI6uwYzPRpg==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id DA49A1A9AF
	for <larch@yhetil.org>; Wed, 11 Dec 2024 00:36:51 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1tL9lt-0007pG-Tp; Tue, 10 Dec 2024 18:36:05 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tL9ls-0007oa-DI
 for guix-patches@gnu.org; Tue, 10 Dec 2024 18:36:04 -0500
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tL9ls-0002dw-0E; Tue, 10 Dec 2024 18:36:04 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org; 
 h=MIME-Version:References:In-Reply-To:Date:From:To:Subject;
 bh=C12T3M4qjwe2uqZc0ZAenMUCgNo7S1ZYvf3oErX3FTs=; 
 b=XtMJqY/oNWWrtmU0B0deHP2YoCtOSKQYCVowGjZgMVdK3igrORPdIS2VtC9j6QwRnh1wZ0RMCU0fM+v7xlTfF5aZmliY/JeezzAV2KgDZaz+7+xnFQSlimvMvlKJxWJgAt/iHXZFZO651mJ8drqCIpBXXGluTP/LK7c8vOd3g7mFlZNbGUSBprFpYlq+Jz9Hm1RQQsfzcil0OENggSnqkloinaFzQpagpGWk4n1Y0/1I9PPCpqha5fM9YOR0ixJ3GFZwBjhdpXJm3TlHcvTwJXamCAFgSauaRe9YBSFxoZlduc4K0mo5UlMspS9s7Rllyw5m7CrvX1G76scaYUIAHQ==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tL9lr-0005di-QD; Tue, 10 Dec 2024 18:36:03 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#74776] [PATCH 4/7] channels: Add #:verify-certificate? and honor
 it.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org,
 zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org
Resent-Date: Tue, 10 Dec 2024 23:36:03 +0000
Resent-Message-ID: <handler.74776.B74776.173387371121125@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 74776
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 74776@debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Christopher Baines <guix@cbaines.net>, Josselin Poiret <dev@jpoiret.xyz>,
 Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Mathieu Othacehe <othacehe@gnu.org>, Simon Tournier <zimon.toutoune@gmail.com>,
 Tobias Geerinckx-Rice <me@tobias.gr>
X-Debbugs-Original-Xcc: Christopher Baines <guix@cbaines.net>,
 Josselin Poiret <dev@jpoiret.xyz>,
 Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Mathieu Othacehe <othacehe@gnu.org>, Simon Tournier <zimon.toutoune@gmail.com>,
 Tobias Geerinckx-Rice <me@tobias.gr>
Received: via spool by 74776-submit@debbugs.gnu.org id=B74776.173387371121125
 (code B ref 74776); Tue, 10 Dec 2024 23:36:03 +0000
Received: (at 74776) by debbugs.gnu.org; 10 Dec 2024 23:35:11 +0000
Received: from localhost ([127.0.0.1]:60058 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1tL9kz-0005UI-8Q
 for submit@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:10 -0500
Received: from eggs.gnu.org ([209.51.188.92]:39848)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1tL9kv-0005Se-2x
 for 74776@debbugs.gnu.org; Tue, 10 Dec 2024 18:35:05 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1tL9kp-0002Pe-Pk; Tue, 10 Dec 2024 18:34:59 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To:
 From; bh=C12T3M4qjwe2uqZc0ZAenMUCgNo7S1ZYvf3oErX3FTs=; b=opBvRxC2Y0mXoIg78lMm
 MP/Kds+QT4FuO+3IqVsCPMX04+ELqZfDd8ynKK8vfUblFc15EnnnsELn0ctce963jvnSk/SEuXJaw
 YMh4g6FG07Iuo9F3rJIECaZx7hrHRmzmBsymmd4zUJ3O7+BlPSy4TTuU00xWJUF0N5Ct3kK0gO1pC
 dkNQuanGrhuhKg2+l0uAIGJMCvMtgn+4hurIzU+TigPTv/NfZgc8o37OEX/A1byfTpVokp6c27yaO
 SGAuD12btsJ/kd8pjTGhlfMQlJsL6eGGaacLsUi17DeStAGsuQodWwLKI2DA9Makd/N8/1dWEfSSZ
 SFJOwhdPbN1VEQ==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Date: Wed, 11 Dec 2024 00:34:43 +0100
Message-ID: <e3c87a0a5cea9b2e31dccfc87b87f35314fbaf57.1733873391.git.ludo@gnu.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <cover.1733873391.git.ludo@gnu.org>
References: <cover.1733873391.git.ludo@gnu.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -0.36
X-Spam-Score: -0.36
X-Migadu-Queue-Id: DA49A1A9AF
X-Migadu-Scanner: mx12.migadu.com
X-TUID: jnxZq0PukOym

* guix/channels.scm (latest-channel-instance): Add #:verify-certificate?
and pass it on.
(latest-channel-instances): Likewise.

Change-Id: I43564738dfeefa5b735e6f9e349f9f5596d25164
---
 guix/channels.scm | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/guix/channels.scm b/guix/channels.scm
index 34f63eb833..4700f7a45d 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -407,12 +407,15 @@ (define* (authenticate-channel channel checkout commit
 (define* (latest-channel-instance store channel
                                   #:key (patches %patches)
                                   starting-commit
-                                  (authenticate? #f)
+                                  (authenticate? #t)
                                   (validate-pull
-                                   ensure-forward-channel-update))
+                                   ensure-forward-channel-update)
+                                  (verify-certificate? #t))
   "Return the latest channel instance for CHANNEL.  When STARTING-COMMIT is
 true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and
-their relation.  When AUTHENTICATE? is false, CHANNEL is not authenticated."
+their relation.  When AUTHENTICATE? is false, CHANNEL is not authenticated.
+When VERIFY-CERTIFICATE? is false, invalid X.509 host certificates are
+accepted."
   (define (dot-git? file stat)
     (and (string=? (basename file) ".git")
          (eq? 'directory (stat:type stat))))
@@ -421,7 +424,8 @@ (define* (latest-channel-instance store channel
         (checkout commit relation
                   (update-cached-checkout (channel-url channel)
                                           #:ref (channel-reference channel)
-                                          #:starting-commit starting-commit)))
+                                          #:starting-commit starting-commit
+                                          #:verify-certificate? verify-certificate?)))
     (when relation
       (validate-pull channel starting-commit commit relation))
 
@@ -505,13 +509,17 @@ (define* (latest-channel-instances store channels
                                    (current-channels '())
                                    (authenticate? #t)
                                    (validate-pull
-                                    ensure-forward-channel-update))
+                                    ensure-forward-channel-update)
+                                   (verify-certificate? #t))
   "Return a list of channel instances corresponding to the latest checkouts of
 CHANNELS and the channels on which they depend.
 
 When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a
 \"channel introduction\".
 
+When VERIFY-CERTIFICATE? is false, invalid X.509 host certificates are
+accepted.
+
 CURRENT-CHANNELS is the list of currently used channels.  It is compared
 against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called
 for each channel update and can choose to emit warnings or raise an error,
@@ -562,7 +570,9 @@ (define* (latest-channel-instances store channels
                                                 #:validate-pull
                                                 validate-pull
                                                 #:starting-commit
-                                                current)))
+                                                current
+                                                #:verify-certificate?
+                                                verify-certificate?)))
                  (when authenticate?
                    ;; CHANNEL is authenticated so we can trust the
                    ;; primary URL advertised in its metadata and warn
-- 
2.46.0