From bc3c41ce36349ed4ec758c70b48a7059e363043a Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Mon, 7 Nov 2016 23:07:08 +0100
Subject: download: Verify TLS certificates unless asked not to.

Fixes <http://bugs.gnu.org/24466>.
Reported by Leo Famulari <leo@famulari.name>.

* guix/build/download.scm (%x509-certificate-directory): New variable.
(make-credendials-with-ca-trust-files, peer-certificate)
(assert-valid-server-certificate, print-tls-certificate-error): New
procedures.  Add 'print-tls-certificate-error' as an exception printer
for 'tls-certificate-error'.
(tls-wrap): Add #:verify-certificate? parameter and honor it.
(open-connection-for-uri): Likewise.
(http-fetch): Likewise.
(url-fetch): Likewise.
* guix/download.scm (url-fetch)[builder]: Pass #:verify-certificate? #f.
* guix/scripts/lint.scm (probe-uri): Add case for 'tls-certificate-error'.
(validate-uri): Likewise.
* doc/guix.texi (Invoking guix download): Mention 'SSL_CERT_DIR'.
---
 guix/download.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'guix/download.scm')

diff --git a/guix/download.scm b/guix/download.scm
index 80507f952a..d94051951c 100644
--- a/guix/download.scm
+++ b/guix/download.scm
@@ -372,7 +372,11 @@ in the store."
                        #:hashes
                        (value-from-environment "guix download hashes")
                        #:content-addressed-mirrors
-                       (primitive-load #$%content-addressed-mirror-file))))))
+                       (primitive-load #$%content-addressed-mirror-file)
+
+                       ;; No need to validate certificates since we know the
+                       ;; hash of the expected result.
+                       #:verify-certificate? #f)))))
 
   (let ((uri (and (string? url) (string->uri url))))
     (if (or (and (string? url) (not uri))
-- 
cgit v1.2.3