[PATCH 4 of 4] osx: install dummy web.cacerts to enable use of system keychain
Mads Kiilerich
mads at kiilerich.com
Sat Aug 30 07:51:09 CDT 2014
# HG changeset patch
# User Mads Kiilerich <madski at unity3d.com>
# Date 1409402149 -7200
# Sat Aug 30 14:35:49 2014 +0200
# Node ID fac3528d680da6de7323cf0651545e2e5111df5b
# Parent 9fdbd8dc7fd50cc10d3784826e6f7a5b19cff771
osx: install dummy web.cacerts to enable use of system keychain
On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore
Mercurial use to implement their SSL support) will look in the system keychain.
Unfortunately, the SSL code in the Python core doesn't allow for this
situation---it always expects you to specify a certificate bundle, and if one
is specified if must contain at least one certificate.
The ship a pem file with a certificate the expired before it began so it can't
contain any backdoor.
diff --git a/contrib/macosx/dummycert.pem b/contrib/macosx/dummycert.pem
new file mode 100644
--- /dev/null
+++ b/contrib/macosx/dummycert.pem
@@ -0,0 +1,54 @@
+On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore
+Mercurial use to implement their SSL support) will look in the system keychain.
+Unfortunately, the SSL code in the Python core doesn't allow for this
+situation---it always expects you to specify a certificate bundle, and if one
+is specified if must contain at least one certificate.
+
+cat > cn.conf << EOT
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+commonName = Common Name
+commonName_default = no.example.com
+EOT
+
+openssl req -nodes -new -x509 -keyout /dev/null -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'
+
+-----BEGIN CERTIFICATE-----
+MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
+LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
+MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
+mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
+CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
+IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
+aKdQRekuMQ==
+-----END CERTIFICATE-----
+
+openssl x509 -in dummycert.pem -noout -text
+
+Certificate:
+ Data:
+ Version: 1 (0x0)
+ Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=hg.example.com
+ Validity
+ Not Before: Aug 30 08:45:59 2014 GMT
+ Not After : Aug 29 08:45:59 2014 GMT
+ Subject: CN=hg.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (512 bit)
+ Modulus:
+ 00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58:
+ 19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2:
+ 51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77:
+ f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7:
+ a4:05:81:60:29
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1:
+ 5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1:
+ f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd:
+ 27:b5:9e:68:a7:50:45:e9:2e:31
diff --git a/contrib/macosx/dummycert.rc b/contrib/macosx/dummycert.rc
new file mode 100644
--- /dev/null
+++ b/contrib/macosx/dummycert.rc
@@ -0,0 +1,2 @@
+[web]
+cacerts = /etc/mercurial/hgrc.d/dummycert.pem
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -498,7 +498,9 @@ datafiles = []
if sys.platform == 'darwin':
datafiles.append(
('/etc/mercurial/hgrc.d', ['contrib/mergetools.rc',
- 'contrib/sample.rc']))
+ 'contrib/sample.rc',
+ 'contrib/macosx/dummycert.rc',
+ 'contrib/macosx/dummycert.pem']))
setupversion = version
extra = {}
More information about the Mercurial-devel
mailing list