guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

329/376: Add option to disable binary cache certificate checking

From: Ludovic Courtès
Subject: 329/376: Add option to disable binary cache certificate checking
Date: Wed, 28 Jan 2015 22:05:57 +0000 
civodul pushed a commit to tag 1.8
in repository guix.

commit d44d923be971a9f9a05b156e20fe2b26151826a9
Author: Eelco Dolstra <address@hidden>
Date:   Tue Dec 9 13:15:31 2014 +0100

    Add option to disable binary cache certificate checking
---
 doc/manual/command-ref/conf-file.xml     |    9 +++++++++
 scripts/download-from-binary-cache.pl.in |    8 +++++++-
 2 files changed, 16 insertions(+), 1 deletions(-)

diff --git a/doc/manual/command-ref/conf-file.xml 
b/doc/manual/command-ref/conf-file.xml
index 930ed77..053f4d4 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -402,6 +402,15 @@ flag, e.g. <literal>--option gc-keep-outputs 
false</literal>.</para>
   </varlistentry>
 
 
+  <varlistentry><term><literal>verify-https-binary-caches</literal></term>
+
+    <listitem><para>Whether HTTPS binary caches are required to have a
+    certificate that can be verified. Defaults to
+    <literal>true</literal>.</para></listitem>
+
+  </varlistentry>
+
+
   <varlistentry><term><literal>force-manifest</literal></term>
 
     <listitem><para>If this option is set to <literal>false</literal>
diff --git a/scripts/download-from-binary-cache.pl.in 
b/scripts/download-from-binary-cache.pl.in
index db030c1..0e640ee 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -47,7 +47,12 @@ $caBundle = "/etc/ssl/certs/ca-certificates.crt" if 
!$caBundle && -f "/etc/ssl/c
 
 my $userName = getpwuid($<) || $ENV{"USER"} or die "cannot figure out user 
name";
 
-my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} 
// "0") ne "0";
+sub isTrue {
+    my ($x) = @_;
+    return $x eq "true" || $x eq "1";
+}
+
+my $requireSignedBinaryCaches = 
isTrue($Nix::Config::config{"signed-binary-caches"} // "0");
 
 my $curlConnectTimeout = int(
     $Nix::Config::config{"untrusted-connect-timeout"} //
@@ -69,6 +74,7 @@ sub addRequest {
     $curl->setopt(CURLOPT_WRITEDATA, $fh);
     $curl->setopt(CURLOPT_FOLLOWLOCATION, 1);
     $curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle;
+    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0) unless 
isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1");
     $curl->setopt(CURLOPT_USERAGENT, "Nix/$Nix::Config::version");
     $curl->setopt(CURLOPT_NOBODY, 1) if $head;
     $curl->setopt(CURLOPT_FAILONERROR, 1);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]