Closed Bug 1164315 Opened 5 years ago Closed 5 years ago
.org fingerprint for "./mach mercurial-setup"
I run "./mach mercurial-setup" and have this error. Ensuring mqext extension is up to date... pulling from https://bitbucket.org/sfink/mqext abort: certificate for bitbucket.org has unexpected fingerprint 46:de:34:e7:9b:18:cd:7f:ae:fd:8b:e3:bc:f4:1a:5e:38:d7:ac:24 (check hostfingerprint configuration) Their fingerprint has been change. See "Bitbucket’s SSL certificate is changing for SHA-2" http://blog.bitbucket.org/2015/05/06/bitbuckets-ssl-certificate-is-changing-for-sha-2/
Is pinning fingerprints worth the hassle given things like this?
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #2) > Is pinning fingerprints worth the hassle given things like this? Python <2.7.9 don't have a robust SSL implementation and don't do certificate checking by default. (This is a major reason you should use libraries like "requests" instead of doing *any* https:// with the standard library.) To make up for Python's lackings, Mercurial implements support for specifying a ca roots file *and* it enables you to declare fingerprints for known hostnames. As of Mercurial 3.4, Mercurial can integrate with the new APIs made available to the ssl stdlib module that allow loading the system's CA cert store. This is only available with Python 2.7.9+ of course. So, the short answer is long term everyone upgrades to modern Mercurial and Python and we rely on the system CA store instead of fingerprints for this kind of thing.
You need to log in before you can comment on or make changes to this bug.