My understanding is that pinning fingerprints was only ever needed if you use Python < 2.7.5 (or something like that) in addition to an old Mercurial. Given we're entirely on Python 3 and require modern Mercurial, there's no reason to pin fingerprints anymore.
In other words, `mach vcs-setup` removing them is intentional. On Wed, Oct 20, 2021 at 5:56 PM ISHIKAWA,chiaki <[email protected]> wrote: > On 2020/10/09 7:57, Connor Sheehan wrote: > > tldr; run `mach vcs-setup` to update the pinned SSL certificate in your > hgrc files. > > > > hg.mozilla.org’s x509 server certificate (AKA an “SSL certificate”) > will be rotated on Monday, October 12th. Bug 1670031 tracks this change. > > > > You may have the certificate’s fingerprint pinned in your hgrc files. > Automated jobs may pin the fingerprint as well. If you have the fingerprint > pinned, you will need to take action otherwise Mercurial will refuse the > connection to hg.mozilla.org once the certificate is swapped. > > > > The easiest way to ensure your pinned fingerprint is up-to-date is to > run `mach vcs-setup` from a Mercurial checkout (it can be from an old > revision). Both the old and new fingerprints will be pinned and the > transition will “just work.” Once the new fingerprint is enabled on the > server, run mach vcs-setup again to remove the old fingerprint. > > > > Fingerprints and details of the new certificate (including hgrc config > snippets you can copy) are located at Bug 1670031. From a certificate > level, this transition is pretty boring: just a standard certificate > renewal from the same CA. > > > > The Matrix channel for this operational change will be #vcs. Fallout in > Firefox CI should be discussed in #ci. Please track any bugs related to > this change against Bug 1668017. > > I noticed the change of certificate because I got > abort: certificate for hg.mozilla.org has unexpected fingerprint > > sha256:4d:eb:21:6e:35:2f:99:c6:8f:c3:47:9b:57:b8:6c:17:15:8f:86:09:d4:6c:17:1d:87:b0:de:f9:0e:51:70:fc > (check hostsecurity configuration) > when I ran |hg pull -u| locally to update my tree. > > Yes, I missed reading this e-mail and failed to run |mach vcs-setup| > before the server cert change. > > Now, it was too late since the cert already changed and I could not run > |mach vcs-setup|. > I had to modify "`/.hgrc/" manually to change the sha256 fingerprint of > the certificate of hg.mozilla.org. > > Now, the issue is this. > After |mach| works again with my modification to add the new sha256 > fingerprint to ~/.hgrc, > I thought it was prudent to run |mach vcs-setup| so that my hgrc is in a > sane state (or what the maintainer of |mach vcs-setup| would like it to > be). > But running |mach vcs-setup| simply removed all the fingerprints (I > have no idea why I had bitbucket.org's fingerprint. I must have used it > 7-8 years ago and forgot about it). > Removing all the fingerprints simply means there is no fingerprint check > in the future. |mach| simply accepts any cert coming from the server. > Is it the intended? > > The following is the diff printed when I ran |mach vcs-setup| after I > tweaked the sha256 fingerprint so that |mach| can talk to hg.mozilla.org > again. > > --- begin quote --- > Would you like to see a diff of the changes first (Yn)? y > --- hgrc.old > +++ hgrc.new > @@ -101,11 +101,6 @@ > pager = LESS=FRSXQ less > > [hostsecurity] > -bitbucket.org:fingerprints = > > sha256:4e:65:3e:76:0f:81:59:85:5b:50:06:0c:c2:4d:3c:56:53:8b:83:3e:9b:fa:55:26:98:9a:ca:e2:25:03:92:47 > -### old hg.mozilla.org:fingerprints = > > sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48 > - > -#hg.mozilla.org:fingerprints = > sha256:FF:E7:8D:93:E9:56:3C:C0:19:FC:00:4C:18:B9:86:E5:08:E5:10:F5:E2:EA:48:E8:22:D3:A3:3A:CA:99:C3:4C, > > > sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48 > -hg.mozilla.org:fingerprints = > sha256:4D:EB:21:6E:35:2F:99:C6:8F:C3:47:9B:57:B8:6C:17:15:8F:86:09:D4:6C:17:1D:87:B0:DE:F9:0E:51:70:FC, > > > sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48 > > [color] > wip.bookmarks = yellow underline > > Write changes to hgrc file (Yn)? y > --- end quote --- > > You can see that |make vcs-setup| deletes all the fingerprints, but did > not add new one(s). > That is a bit disturbing. > > Yes, I know I failed to run |mach vcs-setup| before the server key > change, so the ~/.hgrc is in a strange state with my manual edit. > But I would expect |make vcs-setup| to be idempotent, i.e., if I can run > it (after required tweaking of fingerprint after failed timely update) > so that I can run it again and again and end up with expected ~/.hgrc > all the time (presumably with valid fingerprint for checking.) > > I think no fingerprint is obviously unexpected output. > > TIA > > Chiaki > > > > > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/7edd5cf2-55f1-5915-4efc-1800092e017a%40yk.rim.or.jp > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAAJAz%2B5Gstd3zmSFUbzWL8Ma40_51KB4wYtRfH3JsaSNsoAVwQ%40mail.gmail.com.
