mercurial-setup should add fingerprint for



Developer Services
Mercurial: configwizard
2 years ago
2 years ago


(Reporter: xidorn, Unassigned)





2 years ago
When I tried to clone the stylo repo in a new machine today, there was an error:
> destination directory: stylo
> applying clone bundle from
> error fetching bundle: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
> abort: error applying bundle
> (if this error persists, consider contacting the server operator or disable clone bundles via "--config ui.clonebundles=false")

Apparently this is because there is no fingerprint listed in .hgrc for, and I ran "./mach mercurial-setup" which doesn't fix this issue.

Then I add
> = sha256:46:87:96:55:18:d1:42:b9:02:aa:fb:11:fe:15:f2:2b:be:90:14:23:f0:29:1e:df:1c:14:77:cc:9a:4b:8a:3e
to my .hgrc manually, this is fixed.

I think this should be done by mercurial-setup command.

Comment 1

2 years ago
I'm curious why the certificate verification failed in the first place. My guess is your CA cert bundle is old?

What does `hg debuginstall` say?
Flags: needinfo?(xidorn+moz)

Comment 2

2 years ago
It says:
> checking encoding (UTF-8)...
> checking Python executable (/usr/local/opt/python/bin/python2.7)
> checking Python version (2.7.12)
> checking Python lib (/usr/local/Cellar/python/2.7.12/Frameworks/Python.framework/Versions/2.7/lib/python2.7)...
> checking Mercurial version (3.9.1)
> checking Mercurial custom build ()
> checking module policy (c)
> checking installed modules (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial)...
> checking templates (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial/templates)...
> checking default template (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial/templates/map-cmdline.default)
> checking commit editor... (mvim -f)
> checking username (Xidorn Quan <...>)
> no problems detected
Flags: needinfo?(xidorn+moz)

Comment 3

2 years ago
Oh, probably because my .hgrc has:
> [web]
> cacerts = /etc/hg-dummy-cert.pem

I think it was something necessary before for hg to work properly on Mac, but I guess it is no longer needed and became harmful now?

Comment 4

2 years ago
This is a trick documented in

So it seems it is no longer necessary after Mercurial 3.2. And after I comment out that line, it works as expected.
You need to log in before you can comment on or make changes to this bug.