On 2020/10/09 7:57, Connor Sheehan wrote:
tldr; run `mach vcs-setup` to update the pinned SSL certificate in your hgrc
files.
hg.mozilla.org’s x509 server certificate (AKA an “SSL certificate”) will be
rotated on Monday, October 12th. Bug 1670031 tracks this change.
You may have the certificate’s fingerprint pinned in your hgrc files. Automated
jobs may pin the fingerprint as well. If you have the fingerprint pinned, you
will need to take action otherwise Mercurial will refuse the connection to
hg.mozilla.org once the certificate is swapped.
The easiest way to ensure your pinned fingerprint is up-to-date is to run `mach
vcs-setup` from a Mercurial checkout (it can be from an old revision). Both the
old and new fingerprints will be pinned and the transition will “just work.”
Once the new fingerprint is enabled on the server, run mach vcs-setup again to
remove the old fingerprint.
Fingerprints and details of the new certificate (including hgrc config snippets
you can copy) are located at Bug 1670031. From a certificate level, this
transition is pretty boring: just a standard certificate renewal from the same
CA.
The Matrix channel for this operational change will be #vcs. Fallout in Firefox
CI should be discussed in #ci. Please track any bugs related to this change
against Bug 1668017.
I noticed the change of certificate because I got
abort: certificate for hg.mozilla.org has unexpected fingerprint
sha256:4d:eb:21:6e:35:2f:99:c6:8f:c3:47:9b:57:b8:6c:17:15:8f:86:09:d4:6c:17:1d:87:b0:de:f9:0e:51:70:fc
(check hostsecurity configuration)
when I ran |hg pull -u| locally to update my tree.
Yes, I missed reading this e-mail and failed to run |mach vcs-setup|
before the server cert change.
Now, it was too late since the cert already changed and I could not run
|mach vcs-setup|.
I had to modify "`/.hgrc/" manually to change the sha256 fingerprint of
the certificate of hg.mozilla.org.
Now, the issue is this.
After |mach| works again with my modification to add the new sha256
fingerprint to ~/.hgrc,
I thought it was prudent to run |mach vcs-setup| so that my hgrc is in a
sane state (or what the maintainer of |mach vcs-setup| would like it to be).
But running |mach vcs-setup| simply removed all the fingerprints (I
have no idea why I had bitbucket.org's fingerprint. I must have used it
7-8 years ago and forgot about it).
Removing all the fingerprints simply means there is no fingerprint check
in the future. |mach| simply accepts any cert coming from the server.
Is it the intended?
The following is the diff printed when I ran |mach vcs-setup| after I
tweaked the sha256 fingerprint so that |mach| can talk to hg.mozilla.org
again.
--- begin quote ---
Would you like to see a diff of the changes first (Yn)? y
--- hgrc.old
+++ hgrc.new
@@ -101,11 +101,6 @@
pager = LESS=FRSXQ less
[hostsecurity]
-bitbucket.org:fingerprints =
sha256:4e:65:3e:76:0f:81:59:85:5b:50:06:0c:c2:4d:3c:56:53:8b:83:3e:9b:fa:55:26:98:9a:ca:e2:25:03:92:47
-### old hg.mozilla.org:fingerprints =
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-
-#hg.mozilla.org:fingerprints =
sha256:FF:E7:8D:93:E9:56:3C:C0:19:FC:00:4C:18:B9:86:E5:08:E5:10:F5:E2:EA:48:E8:22:D3:A3:3A:CA:99:C3:4C,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-hg.mozilla.org:fingerprints =
sha256:4D:EB:21:6E:35:2F:99:C6:8F:C3:47:9B:57:B8:6C:17:15:8F:86:09:D4:6C:17:1D:87:B0:DE:F9:0E:51:70:FC,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
[color]
wip.bookmarks = yellow underline
Write changes to hgrc file (Yn)? y
--- end quote ---
You can see that |make vcs-setup| deletes all the fingerprints, but did
not add new one(s).
That is a bit disturbing.
Yes, I know I failed to run |mach vcs-setup| before the server key
change, so the ~/.hgrc is in a strange state with my manual edit.
But I would expect |make vcs-setup| to be idempotent, i.e., if I can run
it (after required tweaking of fingerprint after failed timely update)
so that I can run it again and again and end up with expected ~/.hgrc
all the time (presumably with valid fingerprint for checking.)
I think no fingerprint is obviously unexpected output.
TIA
Chiaki
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/7edd5cf2-55f1-5915-4efc-1800092e017a%40yk.rim.or.jp.
