[PATCH 1 of 2 v2] osx: install dummy web.cacerts to enable use of system keychain
Mads Kiilerich
mads at kiilerich.com
Sun Aug 31 03:25:20 CDT 2014
# HG changeset patch
# User Mads Kiilerich <madski at unity3d.com>
# Date 1409473464 -7200
# Sun Aug 31 10:24:24 2014 +0200
# Node ID 7ae1fe0a0751e3e5970574e472d1361f9593f5f5
# Parent ca6d28307d6fd64a0ff9d9504b91f07b1601dc36
osx: install dummy web.cacerts to enable use of system keychain
On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore
Mercurial use to implement their SSL support) will look in the system keychain.
Unfortunately, the SSL code in the Python core doesn't allow for this
situation---it always expects you to specify a certificate bundle, and if one
is specified if must contain at least one certificate.
The ship a pem file with a certificate the expired before it began so it can't
contain any backdoor.
diff --git a/contrib/macosx/dummycert.pem b/contrib/macosx/dummycert.pem
new file mode 100644
--- /dev/null
+++ b/contrib/macosx/dummycert.pem
@@ -0,0 +1,54 @@
+On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore
+Mercurial use to implement their SSL support) will look in the system keychain.
+Unfortunately, the SSL code in the Python core doesn't allow for this
+situation---it always expects you to specify a certificate bundle, and if one
+is specified if must contain at least one certificate.
+
+cat > cn.conf << EOT
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+commonName = Common Name
+commonName_default = no.example.com
+EOT
+
+openssl req -nodes -new -x509 -keyout /dev/null -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'
+
+-----BEGIN CERTIFICATE-----
+MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
+LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
+MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
+mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
+CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
+IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
+aKdQRekuMQ==
+-----END CERTIFICATE-----
+
+openssl x509 -in dummycert.pem -noout -text
+
+Certificate:
+ Data:
+ Version: 1 (0x0)
+ Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: CN=hg.example.com
+ Validity
+ Not Before: Aug 30 08:45:59 2014 GMT
+ Not After : Aug 29 08:45:59 2014 GMT
+ Subject: CN=hg.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (512 bit)
+ Modulus:
+ 00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58:
+ 19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2:
+ 51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77:
+ f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7:
+ a4:05:81:60:29
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1:
+ 5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1:
+ f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd:
+ 27:b5:9e:68:a7:50:45:e9:2e:31
diff --git a/contrib/macosx/dummycert.rc b/contrib/macosx/dummycert.rc
new file mode 100644
--- /dev/null
+++ b/contrib/macosx/dummycert.rc
@@ -0,0 +1,2 @@
+[web]
+cacerts = /etc/mercurial/hgrc.d/dummycert.pem
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -495,6 +495,11 @@ for root in ('templates',):
packagedata['mercurial'].append(f)
datafiles = []
+if sys.platform == 'darwin':
+ datafiles.append(
+ ('/etc/mercurial/hgrc.d', ['contrib/macosx/dummycert.rc',
+ 'contrib/macosx/dummycert.pem']))
+
setupversion = version
extra = {}
More information about the Mercurial-devel
mailing list