When I tried to clone the stylo repo in a new machine today, there was an error: > destination directory: stylo > applying clone bundle from https://hg.cdn.mozilla.net/experimental/mozilla-central-gd/56b3f2c6f53e72698fea6c25130efceef2a26548.gzip-v2.hg > error fetching bundle: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) > abort: error applying bundle > (if this error persists, consider contacting the server operator or disable clone bundles via "--config ui.clonebundles=false") Apparently this is because there is no fingerprint listed in .hgrc for hg.cdn.mozilla.net, and I ran "./mach mercurial-setup" which doesn't fix this issue. Then I add > hg.cdn.mozilla.net:fingerprints = sha256:46:87:96:55:18:d1:42:b9:02:aa:fb:11:fe:15:f2:2b:be:90:14:23:f0:29:1e:df:1c:14:77:cc:9a:4b:8a:3e to my .hgrc manually, this is fixed. I think this should be done by mercurial-setup command.
I'm curious why the certificate verification failed in the first place. My guess is your CA cert bundle is old? What does `hg debuginstall` say?
It says: > checking encoding (UTF-8)... > checking Python executable (/usr/local/opt/python/bin/python2.7) > checking Python version (2.7.12) > checking Python lib (/usr/local/Cellar/python/2.7.12/Frameworks/Python.framework/Versions/2.7/lib/python2.7)... > checking Mercurial version (3.9.1) > checking Mercurial custom build () > checking module policy (c) > checking installed modules (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial)... > checking templates (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial/templates)... > checking default template (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial/templates/map-cmdline.default) > checking commit editor... (mvim -f) > checking username (Xidorn Quan <...>) > no problems detected
Oh, probably because my .hgrc has: > [web] > cacerts = /etc/hg-dummy-cert.pem I think it was something necessary before for hg to work properly on Mac, but I guess it is no longer needed and became harmful now?
This is a trick documented in https://www.mercurial-scm.org/wiki/CACertificates#Mac_OS_X_10.6_and_higher So it seems it is no longer necessary after Mercurial 3.2. And after I comment out that line, it works as expected.
You need to log in before you can comment on or make changes to this bug.