Closed Bug 1164315 Opened 5 years ago Closed 5 years ago

Update bitbucket.org fingerprint for "./mach mercurial-setup"

Categories

(Firefox Build System :: Mach Core, enhancement)

enhancement
Not set

Tracking

(firefox41 fixed)

RESOLVED FIXED
mozilla41
Tracking Status
firefox41 --- fixed

People

(Reporter: TYLin, Assigned: gps)

References

Details

I run "./mach mercurial-setup" and have this error.

Ensuring mqext extension is up to date...
pulling from https://bitbucket.org/sfink/mqext
abort: certificate for bitbucket.org has unexpected fingerprint 46:de:34:e7:9b:18:cd:7f:ae:fd:8b:e3:bc:f4:1a:5e:38:d7:ac:24
(check hostfingerprint configuration)

Their fingerprint has been change. See "Bitbucket’s SSL certificate is changing for SHA-2"
http://blog.bitbucket.org/2015/05/06/bitbuckets-ssl-certificate-is-changing-for-sha-2/
Is pinning fingerprints worth the hassle given things like this?
https://hg.mozilla.org/mozilla-central/rev/521cd645b1af
Assignee: nobody → gps
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #2)
> Is pinning fingerprints worth the hassle given things like this?

Python <2.7.9 don't have a robust SSL implementation and don't do certificate checking by default. (This is a major reason you should use libraries like "requests" instead of doing *any* https:// with the standard library.) To make up for Python's lackings, Mercurial implements support for specifying a ca roots file *and* it enables you to declare fingerprints for known hostnames.

As of Mercurial 3.4, Mercurial can integrate with the new APIs made available to the ssl stdlib module that allow loading the system's CA cert store. This is only available with Python 2.7.9+ of course.

So, the short answer is long term everyone upgrades to modern Mercurial and Python and we rely on the system CA store instead of fingerprints for this kind of thing.
Duplicate of this bug: 1188988
See Also: → 1270925
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.