From patchwork Sun Aug 31 08:25:20 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [1, of, 2, v2] osx: install dummy web.cacerts to enable use of system keychain From: Mads Kiilerich X-Patchwork-Id: 5652 Message-Id: <7ae1fe0a0751e3e59705.1409473520@localhost.localdomain> To: mercurial-devel@selenic.com Date: Sun, 31 Aug 2014 10:25:20 +0200 # HG changeset patch # User Mads Kiilerich # Date 1409473464 -7200 # Sun Aug 31 10:24:24 2014 +0200 # Node ID 7ae1fe0a0751e3e5970574e472d1361f9593f5f5 # Parent ca6d28307d6fd64a0ff9d9504b91f07b1601dc36 osx: install dummy web.cacerts to enable use of system keychain On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore Mercurial use to implement their SSL support) will look in the system keychain. Unfortunately, the SSL code in the Python core doesn't allow for this situation---it always expects you to specify a certificate bundle, and if one is specified if must contain at least one certificate. The ship a pem file with a certificate the expired before it began so it can't contain any backdoor. diff --git a/contrib/macosx/dummycert.pem b/contrib/macosx/dummycert.pem new file mode 100644 --- /dev/null +++ b/contrib/macosx/dummycert.pem @@ -0,0 +1,54 @@ +On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore +Mercurial use to implement their SSL support) will look in the system keychain. +Unfortunately, the SSL code in the Python core doesn't allow for this +situation---it always expects you to specify a certificate bundle, and if one +is specified if must contain at least one certificate. + +cat > cn.conf << EOT +[req] +distinguished_name = req_distinguished_name + +[req_distinguished_name] +commonName = Common Name +commonName_default = no.example.com +EOT + +openssl req -nodes -new -x509 -keyout /dev/null -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com' + +-----BEGIN CERTIFICATE----- +MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn +LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX +MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA +mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK +CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a +IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We +aKdQRekuMQ== +-----END CERTIFICATE----- + +openssl x509 -in dummycert.pem -noout -text + +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166) + Signature Algorithm: sha1WithRSAEncryption + Issuer: CN=hg.example.com + Validity + Not Before: Aug 30 08:45:59 2014 GMT + Not After : Aug 29 08:45:59 2014 GMT + Subject: CN=hg.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (512 bit) + Modulus: + 00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58: + 19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2: + 51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77: + f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7: + a4:05:81:60:29 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1: + 5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1: + f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd: + 27:b5:9e:68:a7:50:45:e9:2e:31 diff --git a/contrib/macosx/dummycert.rc b/contrib/macosx/dummycert.rc new file mode 100644 --- /dev/null +++ b/contrib/macosx/dummycert.rc @@ -0,0 +1,2 @@ +[web] +cacerts = /etc/mercurial/hgrc.d/dummycert.pem diff --git a/setup.py b/setup.py --- a/setup.py +++ b/setup.py @@ -495,6 +495,11 @@ for root in ('templates',): packagedata['mercurial'].append(f) datafiles = [] +if sys.platform == 'darwin': + datafiles.append( + ('/etc/mercurial/hgrc.d', ['contrib/macosx/dummycert.rc', + 'contrib/macosx/dummycert.pem'])) + setupversion = version extra = {}