On 2020/10/09 7:57, Connor Sheehan wrote:
> tldr; run `mach vcs-setup` to update the pinned SSL certificate in your hgrc files.
>
>
hg.mozilla.org’s x509 server certificate (AKA an “SSL certificate”) will be rotated on Monday, October 12th. Bug 1670031 tracks this change.
>
> You may have the certificate’s fingerprint pinned in your hgrc files. Automated jobs may pin the fingerprint as well. If you have the fingerprint pinned, you will need to take action otherwise Mercurial will refuse the connection to
hg.mozilla.org once the certificate is swapped.
>
> The easiest way to ensure your pinned fingerprint is up-to-date is to run `mach vcs-setup` from a Mercurial checkout (it can be from an old revision). Both the old and new fingerprints will be pinned and the transition will “just work.” Once the new fingerprint is enabled on the server, run mach vcs-setup again to remove the old fingerprint.
>
> Fingerprints and details of the new certificate (including hgrc config snippets you can copy) are located at Bug 1670031. From a certificate level, this transition is pretty boring: just a standard certificate renewal from the same CA.
>
> The Matrix channel for this operational change will be #vcs. Fallout in Firefox CI should be discussed in #ci. Please track any bugs related to this change against Bug 1668017.
I noticed the change of certificate because I got
abort: certificate for
hg.mozilla.org has unexpected fingerprint
sha256:4d:eb:21:6e:35:2f:99:c6:8f:c3:47:9b:57:b8:6c:17:15:8f:86:09:d4:6c:17:1d:87:b0:de:f9:0e:51:70:fc
(check hostsecurity configuration)
when I ran |hg pull -u| locally to update my tree.
Yes, I missed reading this e-mail and failed to run |mach vcs-setup|
before the server cert change.
Now, it was too late since the cert already changed and I could not run
|mach vcs-setup|.
I had to modify "`/.hgrc/" manually to change the sha256 fingerprint of
the certificate of
hg.mozilla.org.
Now, the issue is this.
After |mach| works again with my modification to add the new sha256
fingerprint to ~/.hgrc,
I thought it was prudent to run |mach vcs-setup| so that my hgrc is in a
sane state (or what the maintainer of |mach vcs-setup| would like it to be).
But running |mach vcs-setup| simply removed all the fingerprints (I
have no idea why I had
bitbucket.org's fingerprint. I must have used it
7-8 years ago and forgot about it).
Removing all the fingerprints simply means there is no fingerprint check
in the future. |mach| simply accepts any cert coming from the server.
Is it the intended?
The following is the diff printed when I ran |mach vcs-setup| after I
tweaked the sha256 fingerprint so that |mach| can talk to
hg.mozilla.org
again.
--- begin quote ---
Would you like to see a diff of the changes first (Yn)? y
--- hgrc.old
+++ hgrc.new
@@ -101,11 +101,6 @@
pager = LESS=FRSXQ less
[hostsecurity]
-bitbucket.org:fingerprints =
sha256:4e:65:3e:76:0f:81:59:85:5b:50:06:0c:c2:4d:3c:56:53:8b:83:3e:9b:fa:55:26:98:9a:ca:e2:25:03:92:47
-### old hg.mozilla.org:fingerprints =
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-
-#hg.mozilla.org:fingerprints =
sha256:FF:E7:8D:93:E9:56:3C:C0:19:FC:00:4C:18:B9:86:E5:08:E5:10:F5:E2:EA:48:E8:22:D3:A3:3A:CA:99:C3:4C,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
-hg.mozilla.org:fingerprints =
sha256:4D:EB:21:6E:35:2F:99:C6:8F:C3:47:9B:57:B8:6C:17:15:8F:86:09:D4:6C:17:1D:87:B0:DE:F9:0E:51:70:FC,
sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48
[color]
wip.bookmarks = yellow underline
Write changes to hgrc file (Yn)? y
--- end quote ---
You can see that |make vcs-setup| deletes all the fingerprints, but did
not add new one(s).
That is a bit disturbing.
Yes, I know I failed to run |mach vcs-setup| before the server key
change, so the ~/.hgrc is in a strange state with my manual edit.
But I would expect |make vcs-setup| to be idempotent, i.e., if I can run
it (after required tweaking of fingerprint after failed timely update)
so that I can run it again and again and end up with expected ~/.hgrc
all the time (presumably with valid fingerprint for checking.)
I think no fingerprint is obviously unexpected output.
TIA
Chiaki