From bc3c41ce36349ed4ec758c70b48a7059e363043a Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 7 Nov 2016 23:07:08 +0100 Subject: download: Verify TLS certificates unless asked not to. Fixes . Reported by Leo Famulari . * guix/build/download.scm (%x509-certificate-directory): New variable. (make-credendials-with-ca-trust-files, peer-certificate) (assert-valid-server-certificate, print-tls-certificate-error): New procedures. Add 'print-tls-certificate-error' as an exception printer for 'tls-certificate-error'. (tls-wrap): Add #:verify-certificate? parameter and honor it. (open-connection-for-uri): Likewise. (http-fetch): Likewise. (url-fetch): Likewise. * guix/download.scm (url-fetch)[builder]: Pass #:verify-certificate? #f. * guix/scripts/lint.scm (probe-uri): Add case for 'tls-certificate-error'. (validate-uri): Likewise. * doc/guix.texi (Invoking guix download): Mention 'SSL_CERT_DIR'. --- doc/guix.texi | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index b8cb01f48a..349c4816a1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4768,6 +4768,11 @@ they are not available, an error is raised. @xref{Guile Preparations, how to install the GnuTLS bindings for Guile,, gnutls-guile, GnuTLS-Guile}, for more information. +@command{guix download} verifies HTTPS server certificates by loading +the certificates of X.509 authorities from the directory pointed to by +the @code{SSL_CERT_DIR} environment variable (@pxref{X.509 +Certificates}). + The following option is available: @table @code -- cgit 1.4.1