[debbugs-tracker] bug#27437: closed (Source downloader accepts X.509 certificate for incorrect domain)

[GNU bug Tracking System]

Your message dated Thu, 27 Jul 2017 21:34:29 +0200
with message-id <address@hidden>
and subject line Re: bug#27437: Source downloader accepts X.509 certificate for 
incorrect domain
has caused the debbugs.gnu.org bug report #27437,
regarding Source downloader accepts X.509 certificate for incorrect domain
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
27437: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=27437
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: Source downloader accepts X.509 certificate for incorrect domain Date: Wed, 21 Jun 2017 02:17:52 -0400 User-agent: Mutt/1.8.3 (2017-05-23)

While working on some package updates, I found that the source code
downloader will accept an X.509 certificate for an incorrect site.

Here is what happens:

------
$ ./pre-inst-env guix build -S opus-tools --check
@ build-started 
/gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv - 
x86_64-linux 
/var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2
 
Starting download of 
/gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-tools-0.1.10.tar.gz
From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz...
 ….1.10.tar.gz  305KiB              822KiB/s 00:00 [####################] 100.0%
warning: rewriting hashes in 
`/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz'; cross 
fingers
/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz
------

Here is an example of what I think should happen in this case:

------
$ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz
curl: (51) SSL: certificate subject name (osuosl.org) does not match target 
host name 'downloads.xiph.org'
------

And this is what Firefox says:

------
downloads.xiph.org uses an invalid security certificate.

The certificate is only valid for the following names:
  osuosl.org, *.osuosl.org  

Error code: SSL_ERROR_BAD_CERT_DOMAIN
------

signature.asc
Description: PGP signature

--- End Message ---

> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#27437: Source downloader accepts X.509 certificate for incorrect domain
>
>
>
>
> Date: 
>
> Thu, 27 Jul 2017 21:34:29 +0200
>
>
>
>
> User-agent: 
>
> mu4e 0.9.18; emacs 25.2.1
>
>
>
>
> Ludovic Courtès <address@hidden> writes:
>
> > Ricardo Wurmus <address@hidden> skribis:
> >
> >>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001
> >> From: Ricardo Wurmus <address@hidden>
> >> Date: Fri, 23 Jun 2017 09:24:58 +0200
> >> Subject: [PATCH] doc: Encourage signature verification.
> >>
> >> * doc/contributing.texi (Submitting Patches): Remind contributors to verify
> >> cryptographic signatures.
> >> ---
> >>  doc/contributing.texi | 6 ++++++
> >>  1 file changed, 6 insertions(+)
> >>
> >> diff --git a/doc/contributing.texi b/doc/contributing.texi
> >> index 925c584e4..0073f2451 100644
> >> --- a/doc/contributing.texi
> >> +++ b/doc/contributing.texi
> >> @@ -334,6 +334,12 @@ updates for a given software package in a single place 
> >> and have them
> >>  affect the whole system---something that bundled copies prevent.
> >>  
> >>  @item
> >> +If the authors of the packaged software provide a cryptographic
> >> +signature for the release tarball, make an effort to verify the
> >> +authenticity of the archive.  For a detached GPG signature file this
> >> +would be done with the @code{gpg --verify} command.
> >
> > I would make it the very first item of the check list.
> >
> > If that’s fine with you, please push and maybe close the bug!
>
> Looks like I’ve already pushed this a while back.  I’ll move it up to
> the top of the list.  (And I’m closing this bug.)
>
> -- 
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
> https://elephly.net
>
>
>
> --- End Message ---