Marius Bakke <mba...@fastmail.com> writes: >>> I want to bundle a 'le-certs' package with GNU Guix, and change `guix >>> pull` to know to use the le-certs bundle when pulling from >>> %snapshot-url. For other URLs, users will have to take care of it >>> themselves. >> >> This sounds like a better approach. Also, I did not see this email >> before sending the patch! If you package it up, I can look into >> realizing the package in `guix pull` directly. > > I gave this a go using "nss-certs", but can't figure out how to set > SSL_CERT_DIR (or GUIX_TLS_CERTIFICATE_DIRECTORY) in `guix pull`. The > naive approach of setting the variable before calling > "download-to-store" does not work because %x509-certificate-directory > has already been evaluated. > > I wonder what's the best approach here. Parameterizing this and > propagating it all the way down to (tls-wrap) similar to > #:verify-certificate? could work, but seems awkward. Any suggestions?
I made it work with the attached hack. It breaks all conventions by allowing #:verify-certificate? to be a search path for certificates. If it wasn't for the implied boolean nature of "#:verify-certificate?" I would be happy with this solution. But I think setting the GUIX_TLS_CERTIFICATE_DIRECTORY environment variable before pulling in (guix download) would be better.
signature.asc
Description: PGP signature
>From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001 From: Marius Bakke <mba...@fastmail.com> Date: Tue, 28 Feb 2017 22:34:29 +0100 Subject: [PATCH] pull: Default to HTTPS. * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a search string for certificates. * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. (guix-pull): Verify against the store path of NSS-CERTS. --- guix/build/download.scm | 7 +++++-- guix/scripts/pull.scm | 8 ++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/guix/build/download.scm b/guix/build/download.scm index 203338b52..88da1776f 100644 --- a/guix/build/download.scm +++ b/guix/build/download.scm @@ -342,13 +342,16 @@ way." (define* (tls-wrap port server #:key (verify-certificate? #t)) "Return PORT wrapped in a TLS connection to SERVER. SERVER must be a DNS -host name without trailing dot." +host name without trailing dot. If VERIFY-CERTIFICATE? is a string, it is +assumed to be the search path for TLS certificates passed to gnutls." (define (log level str) (format (current-error-port) "gnutls: [~a|~a] ~a" (getpid) level str)) (let ((session (make-session connection-end/client)) - (ca-certs (%x509-certificate-directory))) + (ca-certs (if (string? verify-certificate?) + verify-certificate? + (%x509-certificate-directory)))) ;; Some servers such as 'cloud.github.com' require the client to support ;; the 'SERVER NAME' extension. However, 'set-session-server-name!' is diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index a4824e4fd..402332192 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -30,6 +30,7 @@ #:use-module ((guix build utils) #:select (with-directory-excursion delete-file-recursively)) #:use-module (gnu packages base) + #:use-module ((gnu packages certs) #:select (nss-certs)) #:use-module (gnu packages guile) #:use-module ((gnu packages bootstrap) #:select (%bootstrap-guile)) @@ -45,7 +46,7 @@ (define %snapshot-url ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" - "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" + "https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" ) (define-syntax-rule (with-environment-variable variable value body ...) @@ -224,8 +225,11 @@ contained therein." (with-error-handling (let* ((opts (parse-options)) (store (open-connection)) + (certs (string-append (package-output store nss-certs) + "/etc/ssl/certs")) (url (assoc-ref opts 'tarball-url))) - (let ((tarball (download-to-store store url "guix-latest.tar.gz"))) + (let ((tarball (download-to-store store url "guix-latest.tar.gz" + #:verify-certificate? certs))) (unless tarball (leave (_ "failed to download up-to-date source, exiting\n"))) (parameterize ((%guile-for-build -- 2.12.0