GNU bug report logs -
#27437
Source downloader accepts X.509 certificate for incorrect domain
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 21 Jun 2017 06:19:01 UTC
Severity: normal
Done: Ricardo Wurmus <rekado <at> elephly.net>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Thu, 27 Jul 2017 21:34:29 +0200
with message-id <87r2x165dm.fsf <at> elephly.net>
and subject line Re: bug#27437: Source downloader accepts X.509 certificate for incorrect domain
has caused the debbugs.gnu.org bug report #27437,
regarding Source downloader accepts X.509 certificate for incorrect domain
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
27437: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=27437
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
While working on some package updates, I found that the source code
downloader will accept an X.509 certificate for an incorrect site.
Here is what happens:
------
$ ./pre-inst-env guix build -S opus-tools --check
@ build-started /gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv - x86_64-linux /var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2
Starting download of /gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-tools-0.1.10.tar.gz
From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz...
….1.10.tar.gz 305KiB 822KiB/s 00:00 [####################] 100.0%
warning: rewriting hashes in `/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz'; cross fingers
/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz
------
Here is an example of what I think should happen in this case:
------
$ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz
curl: (51) SSL: certificate subject name (osuosl.org) does not match target host name 'downloads.xiph.org'
------
And this is what Firefox says:
------
downloads.xiph.org uses an invalid security certificate.
The certificate is only valid for the following names:
osuosl.org, *.osuosl.org
Error code: SSL_ERROR_BAD_CERT_DOMAIN
------
[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Ricardo Wurmus <rekado <at> elephly.net> skribis:
>
>>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001
>> From: Ricardo Wurmus <rekado <at> elephly.net>
>> Date: Fri, 23 Jun 2017 09:24:58 +0200
>> Subject: [PATCH] doc: Encourage signature verification.
>>
>> * doc/contributing.texi (Submitting Patches): Remind contributors to verify
>> cryptographic signatures.
>> ---
>> doc/contributing.texi | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/doc/contributing.texi b/doc/contributing.texi
>> index 925c584e4..0073f2451 100644
>> --- a/doc/contributing.texi
>> +++ b/doc/contributing.texi
>> @@ -334,6 +334,12 @@ updates for a given software package in a single place and have them
>> affect the whole system---something that bundled copies prevent.
>>
>> @item
>> +If the authors of the packaged software provide a cryptographic
>> +signature for the release tarball, make an effort to verify the
>> +authenticity of the archive. For a detached GPG signature file this
>> +would be done with the @code{gpg --verify} command.
>
> I would make it the very first item of the check list.
>
> If that’s fine with you, please push and maybe close the bug!
Looks like I’ve already pushed this a while back. I’ll move it up to
the top of the list. (And I’m closing this bug.)
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
This bug report was last modified 7 years and 304 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.