GNU bug report logs - #27437
Source downloader accepts X.509 certificate for incorrect domain

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 21 Jun 2017 06:19:01 UTC

Severity: normal

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 27437 <at> debbugs.gnu.org
Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain
Date: Wed, 21 Jun 2017 12:50:15 +0200

Hi,

Leo Famulari <leo <at> famulari.name> skribis:

> While working on some package updates, I found that the source code
> downloader will accept an X.509 certificate for an incorrect site.
>
> Here is what happens:
>
> ------
> $ ./pre-inst-env guix build -S opus-tools --check
> @ build-started /gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv - x86_64-linux /var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2
>  
> Starting download of /gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-tools-0.1.10.tar.gz
> From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz...
>  ….1.10.tar.gz  305KiB              822KiB/s 00:00 [####################] 100.0%
> warning: rewriting hashes in `/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz'; cross fingers
> /gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz
> ------
>
> Here is an example of what I think should happen in this case:
>
> ------
> $ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz
> curl: (51) SSL: certificate subject name (osuosl.org) does not match target host name 'downloads.xiph.org'
> ------

Also:

--8<---------------cut here---------------start------------->8---
$ guix download https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz

Starting download of /tmp/guix-file.vjPVRk
From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz...
ERROR: X.509 server certificate for 'downloads.xiph.org' does not match: C=US,postalCode=97331,ST=OR,L=Corvallis,street=Oregon State University,street=Kerr Admin Building,O=Oregon State University,OU=OSU OSL,CN=osuosl.org

failed to download "/tmp/guix-file.vjPVRk" from "https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz"
guix download: error:
https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz: download failed
--8<---------------cut here---------------end--------------->8---

The behavior of the source download is on purpose as noted in (guix
download):

                       ;; No need to validate certificates since we know the
                       ;; hash of the expected result.
                       #:verify-certificate? #f)))))

IOW, since we’re checking the integrity of the tarball anyway, and we
assume developers checked its authenticity when writing the recipe, then
who cares whether downloads.xiph.org has a valid certificate?

Conversely, ‘guix download’ always checks certificates by default.

Does it make sense?

Ludo’.
This bug report was last modified 7 years and 304 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.