mercurial-setup should add fingerprint for hg.cdn.mozilla.net

NEW
Unassigned

Status

Developer Services
Mercurial: configwizard
2 years ago
2 years ago

People

(Reporter: xidorn, Unassigned)

Tracking

Details

(Reporter)

Description

2 years ago
When I tried to clone the stylo repo in a new machine today, there was an error:
> destination directory: stylo
> applying clone bundle from https://hg.cdn.mozilla.net/experimental/mozilla-central-gd/56b3f2c6f53e72698fea6c25130efceef2a26548.gzip-v2.hg
> error fetching bundle: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
> abort: error applying bundle
> (if this error persists, consider contacting the server operator or disable clone bundles via "--config ui.clonebundles=false")

Apparently this is because there is no fingerprint listed in .hgrc for hg.cdn.mozilla.net, and I ran "./mach mercurial-setup" which doesn't fix this issue.

Then I add
> hg.cdn.mozilla.net:fingerprints = sha256:46:87:96:55:18:d1:42:b9:02:aa:fb:11:fe:15:f2:2b:be:90:14:23:f0:29:1e:df:1c:14:77:cc:9a:4b:8a:3e
to my .hgrc manually, this is fixed.

I think this should be done by mercurial-setup command.

Comment 1

2 years ago
I'm curious why the certificate verification failed in the first place. My guess is your CA cert bundle is old?

What does `hg debuginstall` say?
Flags: needinfo?(xidorn+moz)
(Reporter)

Comment 2

2 years ago
It says:
> checking encoding (UTF-8)...
> checking Python executable (/usr/local/opt/python/bin/python2.7)
> checking Python version (2.7.12)
> checking Python lib (/usr/local/Cellar/python/2.7.12/Frameworks/Python.framework/Versions/2.7/lib/python2.7)...
> checking Mercurial version (3.9.1)
> checking Mercurial custom build ()
> checking module policy (c)
> checking installed modules (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial)...
> checking templates (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial/templates)...
> checking default template (/usr/local/Cellar/mercurial/3.9.1/lib/python2.7/site-packages/mercurial/templates/map-cmdline.default)
> checking commit editor... (mvim -f)
> checking username (Xidorn Quan <...>)
> no problems detected
Flags: needinfo?(xidorn+moz)
(Reporter)

Comment 3

2 years ago
Oh, probably because my .hgrc has:
> [web]
> cacerts = /etc/hg-dummy-cert.pem

I think it was something necessary before for hg to work properly on Mac, but I guess it is no longer needed and became harmful now?
(Reporter)

Comment 4

2 years ago
This is a trick documented in https://www.mercurial-scm.org/wiki/CACertificates#Mac_OS_X_10.6_and_higher

So it seems it is no longer necessary after Mercurial 3.2. And after I comment out that line, it works as expected.
You need to log in before you can comment on or make changes to this bug.