Closed Bug 1164315 Opened 5 years ago Closed 5 years ago

Update fingerprint for "./mach mercurial-setup"


(Firefox Build System :: Mach Core, enhancement)

Not set


(firefox41 fixed)

Tracking Status
firefox41 --- fixed


(Reporter: TYLin, Assigned: gps)



I run "./mach mercurial-setup" and have this error.

Ensuring mqext extension is up to date...
pulling from
abort: certificate for has unexpected fingerprint 46:de:34:e7:9b:18:cd:7f:ae:fd:8b:e3:bc:f4:1a:5e:38:d7:ac:24
(check hostfingerprint configuration)

Their fingerprint has been change. See "Bitbucket’s SSL certificate is changing for SHA-2"
Is pinning fingerprints worth the hassle given things like this?
Assignee: nobody → gps
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #2)
> Is pinning fingerprints worth the hassle given things like this?

Python <2.7.9 don't have a robust SSL implementation and don't do certificate checking by default. (This is a major reason you should use libraries like "requests" instead of doing *any* https:// with the standard library.) To make up for Python's lackings, Mercurial implements support for specifying a ca roots file *and* it enables you to declare fingerprints for known hostnames.

As of Mercurial 3.4, Mercurial can integrate with the new APIs made available to the ssl stdlib module that allow loading the system's CA cert store. This is only available with Python 2.7.9+ of course.

So, the short answer is long term everyone upgrades to modern Mercurial and Python and we rely on the system CA store instead of fingerprints for this kind of thing.
Duplicate of this bug: 1188988
See Also: → 1270925
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.