`mach mercurial-setup` does an `hg pull` from
hg.mozilla.org to obtain the
version-control-tools repository, which is where most of the logic for
`mach mercurial-setup` lives (because we have a nice testing harness in
version-control-tools). `mach mercurial-setup` doesn't pin the hash when
invoking `hg pull` because to do so would require vendoring the hash in the
repo and that means if you ran `mach mercurial-setup` on an old revision,
the pinned hash would be guaranteed to be incorrect and the connection
would always fail. We /could/ hardcode the certificate expiration date and
refuse to pin when it is known expired. But if we rotate the cert early,
you're back to a pinned cert failure. Security is hard.
As of a week ago, `mach mercurial-setup` doesn't pin certs if Python +
Mercurial is secure, where "secure" means Mercurial 3.9 and a Python that
can speak modern TLS foo (which sadly many Python installations do not
support, including the system Python on OS X). So unless you are the super
paranoid type who doesn't trust your trusted CA bundle, you can delete the
pinned fingerprints from your hgrc. If `mach mercurial-setup` thinks your
Python+Mercurial is insecure, it will re-add them.