From d44d923be971a9f9a05b156e20fe2b26151826a9 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 9 Dec 2014 13:15:31 +0100 Subject: [PATCH] Add option to disable binary cache certificate checking --- doc/manual/command-ref/conf-file.xml | 9 +++++++++ scripts/download-from-binary-cache.pl.in | 8 +++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index 930ed773f..053f4d43c 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -402,6 +402,15 @@ flag, e.g. --option gc-keep-outputs false. + verify-https-binary-caches + + Whether HTTPS binary caches are required to have a + certificate that can be verified. Defaults to + true. + + + + force-manifest If this option is set to false diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index db030c1db..0e640ee34 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -47,7 +47,12 @@ $caBundle = "/etc/ssl/certs/ca-certificates.crt" if !$caBundle && -f "/etc/ssl/c my $userName = getpwuid($<) || $ENV{"USER"} or die "cannot figure out user name"; -my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} // "0") ne "0"; +sub isTrue { + my ($x) = @_; + return $x eq "true" || $x eq "1"; +} + +my $requireSignedBinaryCaches = isTrue($Nix::Config::config{"signed-binary-caches"} // "0"); my $curlConnectTimeout = int( $Nix::Config::config{"untrusted-connect-timeout"} // @@ -69,6 +74,7 @@ sub addRequest { $curl->setopt(CURLOPT_WRITEDATA, $fh); $curl->setopt(CURLOPT_FOLLOWLOCATION, 1); $curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle; + $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0) unless isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1"); $curl->setopt(CURLOPT_USERAGENT, "Nix/$Nix::Config::version"); $curl->setopt(CURLOPT_NOBODY, 1) if $head; $curl->setopt(CURLOPT_FAILONERROR, 1);