Verify TLS certificate before downloading binaries
The --insecure flag to curl tells curl not to bother checking if the TLS certificate presented by the server actually matches the hostname requested, and actually is issued by a trusted CA chain. This almost entirely negates any benefit from using TLS in the first place. This removes the --insecure flag to ensure we actually have a secure connection to the intended hostname before downloading binaries. Manually tested locally within a dev-shell; was able to download binaries from https://cache.nixos.org without issue. [Note: --insecure was only used for fetching NARs, whose integrity is verified by Nix anyway using the hash from the .narinfo. But if we can fetch the .narinfo without --insecure, we can also fetch the .nar, so there is not much point to using --insecure. --Eelco]
This commit is contained in:
parent
39d1da7b51
commit
4f3cf06c97
|
@ -566,7 +566,7 @@ sub downloadBinary {
|
||||||
die if $requireSignedBinaryCaches && !defined $info->{signedBy};
|
die if $requireSignedBinaryCaches && !defined $info->{signedBy};
|
||||||
print STDERR "\n*** Downloading ‘$url’ ", ($requireSignedBinaryCaches ? "(signed by ‘$info->{signedBy}’) " : ""), "to ‘$storePath’...\n";
|
print STDERR "\n*** Downloading ‘$url’ ", ($requireSignedBinaryCaches ? "(signed by ‘$info->{signedBy}’) " : ""), "to ‘$storePath’...\n";
|
||||||
checkURL $url;
|
checkURL $url;
|
||||||
if (system("$Nix::Config::curl --fail --location --insecure --connect-timeout $curlConnectTimeout -A '$userAgent' '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) {
|
if (system("$Nix::Config::curl --fail --location --connect-timeout $curlConnectTimeout -A '$userAgent' '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) {
|
||||||
warn "download of ‘$url’ failed" . ($! ? ": $!" : "") . "\n";
|
warn "download of ‘$url’ failed" . ($! ? ": $!" : "") . "\n";
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,8 +17,7 @@ my $logFile = "$Nix::Config::logDir/downloads";
|
||||||
# estimating the expected download size.
|
# estimating the expected download size.
|
||||||
my $fast = 1;
|
my $fast = 1;
|
||||||
|
|
||||||
# ‘--insecure’ is fine because Nix verifies the hash of the result.
|
my $curl = "$Nix::Config::curl --fail --location";
|
||||||
my $curl = "$Nix::Config::curl --fail --location --insecure";
|
|
||||||
|
|
||||||
|
|
||||||
# Open the manifest cache and update it if necessary.
|
# Open the manifest cache and update it if necessary.
|
||||||
|
|
Loading…
Reference in a new issue