Thank you for the explanation.
If this was intended, then fine.
I re-read the explanation from five years ago by Gregory Szorc [1], and
it seems that modern python and mercurial can use
CA bundle [presumably stored somewhere in M-C?] to verify cert from
hg.mozilla.org by traversing the chain of trust. Makes sense.
> The easiest way to ensure your pinned fingerprint is up-to-date is
to run `mach vcs-setup` from a Mercurial checkout (it can be from an
old revision). Both the old and new fingerprints will be pinned and
the transition will “just work.” Once the new fingerprint is enabled
on the server, run mach vcs-setup again to remove the old fingerprint.
This description may need elaboration. It is no longer true, then, with
modern python and mercurial.
I was worried that what I observed was different from the description above.
TIA
Chiaki
[1]
https://groups.google.com/g/mozilla.dev.platform/c/2wAO695mFnc/m/4pEga1Q-BgAJ?pli=1
On 2021/10/21 7:19, Andrew Halberstadt wrote:
My understanding is that pinning fingerprints was only ever needed if
you use Python < 2.7.5 (or something like that) in addition to an old
Mercurial. Given we're entirely on Python 3 and require modern
Mercurial, there's no reason to pin fingerprints anymore.
In other words, `mach vcs-setup` removing them is intentional.
On Wed, Oct 20, 2021 at 5:56 PM ISHIKAWA,chiaki <[email protected]
<mailto:[email protected]>> wrote:
On 2020/10/09 7:57, Connor Sheehan wrote:
> tldr; run `mach vcs-setup` to update the pinned SSL certificate
in your hgrc files.
>
> hg.mozilla.org <http://hg.mozilla.org>’s x509 server certificate
(AKA an “SSL certificate”) will be rotated on Monday, October
12th. Bug 1670031 tracks this change.
>
> You may have the certificate’s fingerprint pinned in your hgrc
files. Automated jobs may pin the fingerprint as well. If you have
the fingerprint pinned, you will need to take action otherwise
Mercurial will refuse the connection to hg.mozilla.org
<http://hg.mozilla.org> once the certificate is swapped.
>
> The easiest way to ensure your pinned fingerprint is up-to-date
is to run `mach vcs-setup` from a Mercurial checkout (it can be
from an old revision). Both the old and new fingerprints will be
pinned and the transition will “just work.” Once the new
fingerprint is enabled on the server, run mach vcs-setup again to
remove the old fingerprint.
>
> Fingerprints and details of the new certificate (including hgrc
config snippets you can copy) are located at Bug 1670031. From a
certificate level, this transition is pretty boring: just a
standard certificate renewal from the same CA.
>
> The Matrix channel for this operational change will be #vcs.
Fallout in Firefox CI should be discussed in #ci. Please track any
bugs related to this change against Bug 1668017.
I noticed the change of certificate because I got
abort: certificate for hg.mozilla.org <http://hg.mozilla.org> has
unexpected fingerprint
sha256:4d:eb:21:6e:35:2f:99:c6:8f:c3:47:9b:57:b8:6c:17:15:8f:86:09:d4:6c:17:1d:87:b0:de:f9:0e:51:70:fc
(check hostsecurity configuration)
when I ran |hg pull -u| locally to update my tree.
Yes, I missed reading this e-mail and failed to run |mach vcs-setup|
before the server cert change.
Now, it was too late since the cert already changed and I could
not run
|mach vcs-setup|.
I had to modify "`/.hgrc/" manually to change the sha256
fingerprint of
the certificate of hg.mozilla.org <http://hg.mozilla.org>.
Now, the issue is this.
After |mach| works again with my modification to add the new sha256
fingerprint to ~/.hgrc,
I thought it was prudent to run |mach vcs-setup| so that my hgrc
is in a
sane state (or what the maintainer of |mach vcs-setup| would like
it to be).
But running |mach vcs-setup| simply removed all the fingerprints (I
have no idea why I had bitbucket.org <http://bitbucket.org>'s
fingerprint. I must have used it
7-8 years ago and forgot about it).
Removing all the fingerprints simply means there is no fingerprint
check
in the future. |mach| simply accepts any cert coming from the server.
Is it the intended?
The following is the diff printed when I ran |mach vcs-setup| after I
tweaked the sha256 fingerprint so that |mach| can talk to
hg.mozilla.org <http://hg.mozilla.org>
again.
--- begin quote ---
Would you like to see a diff of the changes first (Yn)? y
--- hgrc.old
+++ hgrc.new
@@ -101,11 +101,6 @@
pager = LESS=FRSXQ less
[hostsecurity]
-bitbucket.org:fingerprints =
sha256:4e:65:3e:76:0f:81:59:85:5b:50:06:0c:c2:4d:3c:56:53:8b:83:3e:9b:fa:55:26:98:9a:ca:e2:25:03:92:47
-### old hg.mozilla.org:fingerprints =
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-
-#hg.mozilla.org:fingerprints =
sha256:FF:E7:8D:93:E9:56:3C:C0:19:FC:00:4C:18:B9:86:E5:08:E5:10:F5:E2:EA:48:E8:22:D3:A3:3A:CA:99:C3:4C,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-hg.mozilla.org:fingerprints =
sha256:4D:EB:21:6E:35:2F:99:C6:8F:C3:47:9B:57:B8:6C:17:15:8F:86:09:D4:6C:17:1D:87:B0:DE:F9:0E:51:70:FC,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
[color]
wip.bookmarks = yellow underline
Write changes to hgrc file (Yn)? y
--- end quote ---
You can see that |make vcs-setup| deletes all the fingerprints,
but did
not add new one(s).
That is a bit disturbing.
Yes, I know I failed to run |mach vcs-setup| before the server key
change, so the ~/.hgrc is in a strange state with my manual edit.
But I would expect |make vcs-setup| to be idempotent, i.e., if I
can run
it (after required tweaking of fingerprint after failed timely
update)
so that I can run it again and again and end up with expected ~/.hgrc
all the time (presumably with valid fingerprint for checking.)
I think no fingerprint is obviously unexpected output.
TIA
Chiaki
--
You received this message because you are subscribed to the Google
Groups "[email protected]
<mailto:[email protected]>" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:dev-platform%[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/7edd5cf2-55f1-5915-4efc-1800092e017a%40yk.rim.or.jp
<https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/7edd5cf2-55f1-5915-4efc-1800092e017a%40yk.rim.or.jp>.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAAJAz%2B5Gstd3zmSFUbzWL8Ma40_51KB4wYtRfH3JsaSNsoAVwQ%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAAJAz%2B5Gstd3zmSFUbzWL8Ma40_51KB4wYtRfH3JsaSNsoAVwQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/966dcd58-7dfa-336b-f9e1-57e00b6f194f%40yk.rim.or.jp.
