Page MenuHomePhorge

Updated Arcanist default.pem with the most recent one from Mozilla
Needs ReviewPublic

Authored by Ekubischta on Mon, Oct 4, 13:34.

Details

Reviewers
None
Group Reviewers
Restricted Owners Package(Owns No Changed Paths)
Maniphest Tasks
T15051: default.pem in Arcanist is out of date
Summary

The current default.pem file in Arcanist is from Wed Jan 20 04:12:04 2016 and at this point is out of date

This revision replaces that .pem file with the one from here https://curl.se/ca/cacert.pem which is the Mozilla CA Certificate store from https://curl.se/docs/caextract.html

Specifically, this addresses any issues with the LetsEncrypt root certificate expiration of 9/30/21

Test Plan

Ran this and did not get a fail curl -v --cacert ./resources/ssl/default.pem https://letsencrypt.org/`

NOTE: We are getting a lint failure because of characters, this will need to be ignored in a future update to this revision

Diff Detail

Repository
rARC Arcanist
Branch
T15051-Arcanist_DefaultPem_OutOfDate
Lint
Lint Errors
SeverityLocationCodeMessage
Errorresources/ssl/default.pem:649TXT5Bad Charset
Unit
No Test Coverage
Build Status
Buildable 47
Build 47: arc lint + arc unit

Event Timeline

Owners added a reviewer: Restricted Owners Package.Mon, Oct 4, 13:34
Ekubischta edited the test plan for this revision. (Show Details)

Because of security issues related to this I’d like to have a verification of this type of change since this inherently defines the trust used by arc.

Maybe 2 core members independently verify the these certificate changes? Is there an fast way to verify the individual certs changed here?

In D25023#827, @speck wrote:

Because of security issues related to this I’d like to have a verification of this type of change since this inherently defines the trust used by arc.

Maybe 2 core members independently verify the these certificate changes? Is there an fast way to verify the individual certs changed here?

One option is to validate against the sha-256 hash

The details of the file are here https://curl.se/docs/caextract.html

The sha256hash according to them is here : https://curl.se/ca/cacert.pem.sha256

You can validate the pem in this revision by running sha256sum ./resources/ssl/default.pem and it should match

For verbosity, the hash is f524fc21859b776e18df01a87880efa198112214e13494275dbcbd9bcb71d976