[PATCH v3] osx: install dummy web.cacerts to enable use of system keychain

Mads Kiilerich mads at kiilerich.com
Sun Aug 31 09:30:15 CDT 2014


# HG changeset patch
# User Mads Kiilerich <madski at unity3d.com>
# Date 1409495042 -7200
#      Sun Aug 31 16:24:02 2014 +0200
# Node ID 2bfd45ed381afa1017e546aeb565653f71f820c7
# Parent  ca6d28307d6fd64a0ff9d9504b91f07b1601dc36
osx: install dummy web.cacerts to enable use of system keychain

On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore
Mercurial use to implement their SSL support) will look in the system keychain.
Unfortunately, the SSL code in the Python core doesn't allow for this
situation - it always expects you to specify a certificate bundle, and if one
is specified if must contain at least one certificate.

The shipped pem file contains a certificate the expired before it became valid
so it can't contain any backdoor.

We only want setup.py to install this configuration when requested. Adding
custom command line options to setup.py is very hard so we just check the
environment variable HGSETUPINSTALLHGRC.

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -137,7 +137,7 @@ i18n/hg.pot: $(PYFILES) $(DOCFILES) i18n
 osx:
 	@which -s bdist_mpkg || \
 	   (echo "Missing bdist_mpkg (easy_install bdist_mpkg)"; false)
-	bdist_mpkg setup.py
+	HGSETUPINSTALLHGRC=1 bdist_mpkg setup.py
 	mkdir -p packages/osx
 	rm -rf dist/mercurial-*.mpkg
 	mv dist/mercurial*macosx*.zip packages/osx
diff --git a/contrib/macosx/dummycert.pem b/contrib/macosx/dummycert.pem
new file mode 100644
--- /dev/null
+++ b/contrib/macosx/dummycert.pem
@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
+LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
+MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
+mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
+CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
+IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
+aKdQRekuMQ==
+-----END CERTIFICATE-----
+
+This certificate was generated to be valid but obviously unusable:
+
+cat > cn.conf << EOT
+[req]
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+commonName = Common Name
+commonName_default = no.example.com
+EOT
+openssl req -nodes -new -x509 -keyout /dev/null -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'
+
+To verify the content of this certificate:
+
+openssl x509 -in dummycert.pem -noout -text
+
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hg.example.com
+        Validity
+            Not Before: Aug 30 08:45:59 2014 GMT
+            Not After : Aug 29 08:45:59 2014 GMT
+        Subject: CN=hg.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (512 bit)
+                Modulus:
+                    00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58:
+                    19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2:
+                    51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77:
+                    f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7:
+                    a4:05:81:60:29
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1:
+         5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1:
+         f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd:
+         27:b5:9e:68:a7:50:45:e9:2e:31
diff --git a/contrib/macosx/dummycert.rc b/contrib/macosx/dummycert.rc
new file mode 100644
--- /dev/null
+++ b/contrib/macosx/dummycert.rc
@@ -0,0 +1,10 @@
+# On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore
+# Mercurial use to implement their SSL support) will look in the system
+# keychain. Unfortunately, the SSL code in the Python core doesn't allow for
+# this situation - it always expects you to specify a certificate bundle, and
+# if one is specified if must contain at least one certificate. This pem
+# contains a dummy certificate that makes the system Python use the system
+# keychain.
+
+[web]
+cacerts = /etc/mercurial/hgrc.d/dummycert.pem
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -495,6 +495,11 @@ for root in ('templates',):
             packagedata['mercurial'].append(f)
 
 datafiles = []
+if os.getenv('HGSETUPINSTALLHGRC') and sys.platform == 'darwin':
+    datafiles.append(
+        ('/etc/mercurial/hgrc.d', ['contrib/macosx/dummycert.rc',
+                                   'contrib/macosx/dummycert.pem']))
+
 setupversion = version
 extra = {}
 


More information about the Mercurial-devel mailing list