upstream/mercurial-mirror Commit - r22575:d7f7f186

ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...

Mads Kiilerich -

r22575:d7f7f186 default

parent child

mercurial/dummycert.pem

0 created 644 +56 0

@@ -0,0 +1,56
	1	A dummy certificate that will make OS X 10.6+ Python use the system CA
	2	certificate store:
	3
	4	-----BEGIN CERTIFICATE-----
	5	MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
	6	LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
	7	MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
	8	mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
	9	CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
	10	IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
	11	aKdQRekuMQ==
	12	-----END CERTIFICATE-----
	13
	14	This certificate was generated to be syntactically valid but never be usable;
	15	it expired before it became valid.
	16
	17	Created as:
	18
	19	$ cat > cn.conf << EOT
	20	> [req]
	21	> distinguished_name = req_distinguished_name
	22	> [req_distinguished_name]
	23	> commonName = Common Name
	24	> commonName_default = no.example.com
	25	> EOT
	26	$ openssl req -nodes -new -x509 -keyout /dev/null \
	27	> -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'
	28
	29	To verify the content of this certificate:
	30
	31	$ openssl x509 -in dummycert.pem -noout -text
	32	Certificate:
	33	Data:
	34	Version: 1 (0x0)
	35	Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166)
	36	Signature Algorithm: sha1WithRSAEncryption
	37	Issuer: CN=hg.example.com
	38	Validity
	39	Not Before: Aug 30 08:45:59 2014 GMT
	40	Not After : Aug 29 08:45:59 2014 GMT
	41	Subject: CN=hg.example.com
	42	Subject Public Key Info:
	43	Public Key Algorithm: rsaEncryption
	44	Public-Key: (512 bit)
	45	Modulus:
	46	00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58:
	47	19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2:
	48	51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77:
	49	f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7:
	50	a4:05:81:60:29
	51	Exponent: 65537 (0x10001)
	52	Signature Algorithm: sha1WithRSAEncryption
	53	17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1:
	54	5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1:
	55	f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd:
	56	27:b5:9e:68:a7:50:45:e9:2e:31

mercurial/sslutil.py

0 +8 -1

             # sslutil.py - SSL handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
-            import os
+            import os, sys
             from mercurial import util
             from mercurial.i18n import _
             try:
                 # avoid using deprecated/broken FakeSocket in python 2.6
                 import ssl
                 CERT_REQUIRED = ssl.CERT_REQUIRED
                 PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23
                 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1
                 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
                             cert_reqs=ssl.CERT_NONE, ca_certs=None):
                     sslsocket = ssl.wrap_socket(sock, keyfile, certfile,
                                                 cert_reqs=cert_reqs, ca_certs=ca_certs,
                                                 ssl_version=ssl_version)
                     # check if wrap_socket failed silently because socket had been closed
                     # - see http://bugs.python.org/issue13721
                     if not sslsocket.cipher():
                         raise util.Abort(_('ssl connection failed'))
                     return sslsocket
             except ImportError:
                 CERT_REQUIRED = 2
                 PROTOCOL_SSLv23 = 2
                 PROTOCOL_TLSv1 = 3
                 import socket, httplib
                 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1,
                                     cert_reqs=CERT_REQUIRED, ca_certs=None):
                     if not util.safehasattr(socket, 'ssl'):
                         raise util.Abort(_('Python SSL support not found'))
                     if ca_certs:
                         raise util.Abort(_(
                             'certificate checking requires Python 2.6'))
                     ssl = socket.ssl(sock, keyfile, certfile)
                     return httplib.FakeSocket(sock, ssl)
             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
                 CRLs is not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
                 def matchdnsname(certname):
                     return (certname == dnsname or
                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
                 san = cert.get('subjectAltName', [])
                 if san:
                     certnames = [value.lower() for key, value in san if key == 'DNS']
                     for name in certnames:
                         if matchdnsname(name):
                             return None
                     if certnames:
                         return _('certificate is for %s') % ', '.join(certnames)
                 # subject is only checked when subjectAltName is empty
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
                         try:
                             # 'subject' entries are unicode
                             certname = value.lower().encode('ascii')
                         except UnicodeEncodeError:
                             return _('IDN in certificate not supported')
                         if matchdnsname(certname):
                             return None
                         return _('certificate is for %s') % certname
                 return _('no commonName or subjectAltName found in certificate')
             # CERT_REQUIRED means fetch the cert from the server all the time AND
             # validate it against the CA store provided in web.cacerts.
             #
             # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally
             # busted on those versions.
             def sslkwargs(ui, host):
                 forcetls = ui.configbool('ui', 'tls', default=True)
                 if forcetls:
                     ssl_version = PROTOCOL_TLSv1
                 else:
                     ssl_version = PROTOCOL_SSLv23
                 kws = {'ssl_version': ssl_version,
                        }
                 hostfingerprint = ui.config('hostfingerprints', host)
                 if hostfingerprint:
                     return kws
                 cacerts = ui.config('web', 'cacerts')
                 if cacerts:
                     cacerts = util.expandpath(cacerts)
                     if not os.path.exists(cacerts):
                         raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
+                elif cacerts is None and sys.platform == 'darwin' and not util.mainfrozen():
+                    dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
+                    if os.path.exists(dummycert):
+                        ui.debug('using %s to enable OS X system CA\n' % dummycert)
+                        ui.setconfig('web', 'cacerts', dummycert, 'dummy')
+                        cacerts = dummycert
+                if cacerts:
                     kws.update({'ca_certs': cacerts,
                                 'cert_reqs': CERT_REQUIRED,
                                 })
                 return kws
             class validator(object):
                 def __init__(self, ui, host):
                     self.ui = ui
                     self.host = host
                 def __call__(self, sock, strict=False):
                     host = self.host
                     cacerts = self.ui.config('web', 'cacerts')
                     hostfingerprint = self.ui.config('hostfingerprints', host)
                     if not getattr(sock, 'getpeercert', False): # python 2.5 ?
                         if hostfingerprint:
                             raise util.Abort(_("host fingerprint for %s can't be "
                                                "verified (Python too old)") % host)
                         if strict:
                             raise util.Abort(_("certificate for %s can't be verified "
                                                "(Python too old)") % host)
                         if self.ui.configbool('ui', 'reportoldssl', True):
                             self.ui.warn(_("warning: certificate for %s can't be verified "
                                            "(Python too old)\n") % host)
                         return
                     if not sock.cipher(): # work around http://bugs.python.org/issue13721
                         raise util.Abort(_('%s ssl connection error') % host)
                     try:
                         peercert = sock.getpeercert(True)
                         peercert2 = sock.getpeercert()
                     except AttributeError:
                         raise util.Abort(_('%s ssl connection error') % host)
                     if not peercert:
                         raise util.Abort(_('%s certificate error: '
                                            'no certificate received') % host)
                     peerfingerprint = util.sha1(peercert).hexdigest()
                     nicefingerprint = ":".join([peerfingerprint[x:x + 2]
                         for x in xrange(0, len(peerfingerprint), 2)])
                     if hostfingerprint:
                         if peerfingerprint.lower() != \
                                 hostfingerprint.replace(':', '').lower():
                             raise util.Abort(_('certificate for %s has unexpected '
                                                'fingerprint %s') % (host, nicefingerprint),
                                              hint=_('check hostfingerprint configuration'))
                         self.ui.debug('%s certificate matched fingerprint %s\n' %
                                       (host, nicefingerprint))
                     elif cacerts:
                         msg = _verifycert(peercert2, host)
                         if msg:
                             raise util.Abort(_('%s certificate error: %s') % (host, msg),
                                              hint=_('configure hostfingerprint %s or use '
                                                     '--insecure to connect insecurely') %
                                                   nicefingerprint)
                         self.ui.debug('%s certificate successfully verified\n' % host)
                     elif strict:
                         raise util.Abort(_('%s certificate with fingerprint %s not '
                                            'verified') % (host, nicefingerprint),
                                          hint=_('check hostfingerprints or web.cacerts '
                                                  'config setting'))
                     else:
                         self.ui.warn(_('warning: %s certificate with fingerprint %s not '
                                        'verified (check hostfingerprints or web.cacerts '
                                        'config setting)\n') %
                                      (host, nicefingerprint))

setup.py

0 +2 -1

             #
             # This is the mercurial setup script.
             #
             # 'python setup.py install', or
             # 'python setup.py --help' for more options
             import sys, platform
             if getattr(sys, 'version_info', (0, 0, 0)) < (2, 4, 0, 'final'):
                 raise SystemExit("Mercurial requires Python 2.4 or later.")
             if sys.version_info[0] >= 3:
                 def b(s):
                     '''A helper function to emulate 2.6+ bytes literals using string
                     literals.'''
                     return s.encode('latin1')
                 printf = eval('print')
                 libdir_escape = 'unicode_escape'
             else:
                 libdir_escape = 'string_escape'
                 def b(s):
                     '''A helper function to emulate 2.6+ bytes literals using string
                     literals.'''
                     return s
                 def printf(*args, **kwargs):
                     f = kwargs.get('file', sys.stdout)
                     end = kwargs.get('end', '\n')
                     f.write(b(' ').join(args) + end)
             # Solaris Python packaging brain damage
             try:
                 import hashlib
                 sha = hashlib.sha1()
             except ImportError:
                 try:
                     import sha
                     sha.sha # silence unused import warning
                 except ImportError:
                     raise SystemExit(
                         "Couldn't import standard hashlib (incomplete Python install).")
             try:
                 import zlib
                 zlib.compressobj # silence unused import warning
             except ImportError:
                 raise SystemExit(
                     "Couldn't import standard zlib (incomplete Python install).")
             # The base IronPython distribution (as of 2.7.1) doesn't support bz2
             isironpython = False
             try:
                 isironpython = (platform.python_implementation()
                                 .lower().find("ironpython") != -1)
             except AttributeError:
                 pass
             if isironpython:
                 sys.stderr.write("warning: IronPython detected (no bz2 support)\n")
             else:
                 try:
                     import bz2
                     bz2.BZ2Compressor # silence unused import warning
                 except ImportError:
                     raise SystemExit(
                         "Couldn't import standard bz2 (incomplete Python install).")
             import os, subprocess, time
             import re
             import shutil
             import tempfile
             from distutils import log
             from distutils.core import setup, Command, Extension
             from distutils.dist import Distribution
             from distutils.command.build import build
             from distutils.command.build_ext import build_ext
             from distutils.command.build_py import build_py
             from distutils.command.install_scripts import install_scripts
             from distutils.spawn import spawn, find_executable
             from distutils import cygwinccompiler
             from distutils.errors import CCompilerError, DistutilsExecError
             from distutils.sysconfig import get_python_inc, get_config_var
             from distutils.version import StrictVersion
             convert2to3 = '--c2to3' in sys.argv
             if convert2to3:
                 try:
                     from distutils.command.build_py import build_py_2to3 as build_py
                     from lib2to3.refactor import get_fixers_from_package as getfixers
                 except ImportError:
                     if sys.version_info[0] < 3:
                         raise SystemExit("--c2to3 is only compatible with python3.")
                     raise
                 sys.path.append('contrib')
             elif sys.version_info[0] >= 3:
                 raise SystemExit("setup.py with python3 needs --c2to3 (experimental)")
             scripts = ['hg']
             if os.name == 'nt':
                 scripts.append('contrib/win32/hg.bat')
             # simplified version of distutils.ccompiler.CCompiler.has_function
             # that actually removes its temporary files.
             def hasfunction(cc, funcname):
                 tmpdir = tempfile.mkdtemp(prefix='hg-install-')
                 devnull = oldstderr = None
                 try:
                     try:
                         fname = os.path.join(tmpdir, 'funcname.c')
                         f = open(fname, 'w')
                         f.write('int main(void) {\n')
                         f.write('    %s();\n' % funcname)
                         f.write('}\n')
                         f.close()
                         # Redirect stderr to /dev/null to hide any error messages
                         # from the compiler.
                         # This will have to be changed if we ever have to check
                         # for a function on Windows.
                         devnull = open('/dev/null', 'w')
                         oldstderr = os.dup(sys.stderr.fileno())
                         os.dup2(devnull.fileno(), sys.stderr.fileno())
                         objects = cc.compile([fname], output_dir=tmpdir)
                         cc.link_executable(objects, os.path.join(tmpdir, "a.out"))
                     except Exception:
                         return False
                     return True
                 finally:
                     if oldstderr is not None:
                         os.dup2(oldstderr, sys.stderr.fileno())
                     if devnull is not None:
                         devnull.close()
                     shutil.rmtree(tmpdir)
             # py2exe needs to be installed to work
             try:
                 import py2exe
                 py2exe.Distribution # silence unused import warning
                 py2exeloaded = True
                 # import py2exe's patched Distribution class
                 from distutils.core import Distribution
             except ImportError:
                 py2exeloaded = False
             def runcmd(cmd, env):
                 if sys.platform == 'plan9':
                     # subprocess kludge to work around issues in half-baked Python
                     # ports, notably bichued/python:
                     _, out, err = os.popen3(cmd)
                     return str(out), str(err)
                 else:
                     p = subprocess.Popen(cmd, stdout=subprocess.PIPE,
                                          stderr=subprocess.PIPE, env=env)
                     out, err = p.communicate()
                     return out, err
             def runhg(cmd, env):
                 out, err = runcmd(cmd, env)
                 # If root is executing setup.py, but the repository is owned by
                 # another user (as in "sudo python setup.py install") we will get
                 # trust warnings since the .hg/hgrc file is untrusted. That is
                 # fine, we don't want to load it anyway.  Python may warn about
                 # a missing __init__.py in mercurial/locale, we also ignore that.
                 err = [e for e in err.splitlines()
                        if not e.startswith(b('not trusting file')) \
                           and not e.startswith(b('warning: Not importing')) \
                           and not e.startswith(b('obsolete feature not enabled'))]
                 if err:
                     printf("stderr from '%s':" % (' '.join(cmd)), file=sys.stderr)
                     printf(b('\n').join([b('  ') + e for e in err]), file=sys.stderr)
                     return ''
                 return out
             version = ''
             # Execute hg out of this directory with a custom environment which
             # includes the pure Python modules in mercurial/pure. We also take
             # care to not use any hgrc files and do no localization.
             pypath = ['mercurial', os.path.join('mercurial', 'pure')]
             env = {'PYTHONPATH': os.pathsep.join(pypath),
                    'HGRCPATH': '',
                    'LANGUAGE': 'C'}
             if 'LD_LIBRARY_PATH' in os.environ:
                 env['LD_LIBRARY_PATH'] = os.environ['LD_LIBRARY_PATH']
             if 'SystemRoot' in os.environ:
                 # Copy SystemRoot into the custom environment for Python 2.6
                 # under Windows. Otherwise, the subprocess will fail with
                 # error 0xc0150004. See: http://bugs.python.org/issue3440
                 env['SystemRoot'] = os.environ['SystemRoot']
             if os.path.isdir('.hg'):
                 cmd = [sys.executable, 'hg', 'log', '-r', '.', '--template', '{tags}\n']
                 numerictags = [t for t in runhg(cmd, env).split() if t[0].isdigit()]
                 hgid = runhg([sys.executable, 'hg', 'id', '-i'], env).strip()
                 if numerictags: # tag(s) found
                     version = numerictags[-1]
                     if hgid.endswith('+'): # propagate the dirty status to the tag
                         version += '+'
                 else: # no tag found
                     cmd = [sys.executable, 'hg', 'parents', '--template',
                            '{latesttag}+{latesttagdistance}-']
                     version = runhg(cmd, env) + hgid
                 if version.endswith('+'):
                     version += time.strftime('%Y%m%d')
             elif os.path.exists('.hg_archival.txt'):
                 kw = dict([[t.strip() for t in l.split(':', 1)]
                            for l in open('.hg_archival.txt')])
                 if 'tag' in kw:
                     version =  kw['tag']
                 elif 'latesttag' in kw:
                     version = '%(latesttag)s+%(latesttagdistance)s-%(node).12s' % kw
                 else:
                     version = kw.get('node', '')[:12]
             if version:
                 f = open("mercurial/__version__.py", "w")
                 f.write('# this file is autogenerated by setup.py\n')
                 f.write('version = "%s"\n' % version)
                 f.close()
             try:
                 from mercurial import __version__
                 version = __version__.version
             except ImportError:
                 version = 'unknown'
             class hgbuild(build):
                 # Insert hgbuildmo first so that files in mercurial/locale/ are found
                 # when build_py is run next.
                 sub_commands = [('build_mo', None),
                 # We also need build_ext before build_py. Otherwise, when 2to3 is
                 # called (in build_py), it will not find osutil & friends,
                 # thinking that those modules are global and, consequently, making
                 # a mess, now that all module imports are global.
                                 ('build_ext', build.has_ext_modules),
                                ] + build.sub_commands
             class hgbuildmo(build):
                 description = "build translations (.mo files)"
                 def run(self):
                     if not find_executable('msgfmt'):
                         self.warn("could not find msgfmt executable, no translations "
                                  "will be built")
                         return
                     podir = 'i18n'
                     if not os.path.isdir(podir):
                         self.warn("could not find %s/ directory" % podir)
                         return
                     join = os.path.join
                     for po in os.listdir(podir):
                         if not po.endswith('.po'):
                             continue
                         pofile = join(podir, po)
                         modir = join('locale', po[:-3], 'LC_MESSAGES')
                         mofile = join(modir, 'hg.mo')
                         mobuildfile = join('mercurial', mofile)
                         cmd = ['msgfmt', '-v', '-o', mobuildfile, pofile]
                         if sys.platform != 'sunos5':
                             # msgfmt on Solaris does not know about -c
                             cmd.append('-c')
                         self.mkpath(join('mercurial', modir))
                         self.make_file([pofile], mobuildfile, spawn, (cmd,))
             class hgdist(Distribution):
                 pure = 0
                 global_options = Distribution.global_options + \
                                  [('pure', None, "use pure (slow) Python "
                                     "code instead of C extensions"),
                                   ('c2to3', None, "(experimental!) convert "
                                     "code with 2to3"),
                                  ]
                 def has_ext_modules(self):
                     # self.ext_modules is emptied in hgbuildpy.finalize_options which is
                     # too late for some cases
                     return not self.pure and Distribution.has_ext_modules(self)
             class hgbuildext(build_ext):
                 def build_extension(self, ext):
                     try:
                         build_ext.build_extension(self, ext)
                     except CCompilerError:
                         if not getattr(ext, 'optional', False):
                             raise
                         log.warn("Failed to build optional extension '%s' (skipping)",
                                  ext.name)
             class hgbuildpy(build_py):
                 if convert2to3:
                     fixer_names = sorted(set(getfixers("lib2to3.fixes") +
                                              getfixers("hgfixes")))
                 def finalize_options(self):
                     build_py.finalize_options(self)
                     if self.distribution.pure:
                         if self.py_modules is None:
                             self.py_modules = []
                         for ext in self.distribution.ext_modules:
                             if ext.name.startswith("mercurial."):
                                 self.py_modules.append("mercurial.pure.%s" % ext.name[10:])
                         self.distribution.ext_modules = []
                     else:
                         h = os.path.join(get_python_inc(), 'Python.h')
                         if not os.path.exists(h):
                             raise SystemExit('Python headers are required to build '
                                              'Mercurial but weren\'t found in %s' % h)
                 def find_modules(self):
                     modules = build_py.find_modules(self)
                     for module in modules:
                         if module[0] == "mercurial.pure":
                             if module[1] != "__init__":
                                 yield ("mercurial", module[1], module[2])
                         else:
                             yield module
             class buildhgextindex(Command):
                 description = 'generate prebuilt index of hgext (for frozen package)'
                 user_options = []
                 _indexfilename = 'hgext/__index__.py'
                 def initialize_options(self):
                     pass
                 def finalize_options(self):
                     pass
                 def run(self):
                     if os.path.exists(self._indexfilename):
                         f = open(self._indexfilename, 'w')
                         f.write('# empty\n')
                         f.close()
                     # here no extension enabled, disabled() lists up everything
                     code = ('import pprint; from mercurial import extensions; '
                             'pprint.pprint(extensions.disabled())')
                     out, err = runcmd([sys.executable, '-c', code], env)
                     if err:
                         raise DistutilsExecError(err)
                     f = open(self._indexfilename, 'w')
                     f.write('# this file is autogenerated by setup.py\n')
                     f.write('docs = ')
                     f.write(out)
                     f.close()
             class buildhgexe(build_ext):
                 description = 'compile hg.exe from mercurial/exewrapper.c'
                 def build_extensions(self):
                     if os.name != 'nt':
                         return
                     if isinstance(self.compiler, HackedMingw32CCompiler):
                         self.compiler.compiler_so = self.compiler.compiler # no -mdll
                         self.compiler.dll_libraries = [] # no -lmsrvc90
                     hv = sys.hexversion
                     pythonlib = 'python%d%d' % (hv >> 24, (hv >> 16) & 0xff)
                     f = open('mercurial/hgpythonlib.h', 'wb')
                     f.write('/* this file is autogenerated by setup.py */\n')
                     f.write('#define HGPYTHONLIB "%s"\n' % pythonlib)
                     f.close()
                     objects = self.compiler.compile(['mercurial/exewrapper.c'],
                                                      output_dir=self.build_temp)
                     dir = os.path.dirname(self.get_ext_fullpath('dummy'))
                     target = os.path.join(dir, 'hg')
                     self.compiler.link_executable(objects, target,
                                                   libraries=[],
                                                   output_dir=self.build_temp)
             class hginstallscripts(install_scripts):
                 '''
                 This is a specialization of install_scripts that replaces the @LIBDIR@ with
                 the configured directory for modules. If possible, the path is made relative
                 to the directory for scripts.
                 '''
                 def initialize_options(self):
                     install_scripts.initialize_options(self)
                     self.install_lib = None
                 def finalize_options(self):
                     install_scripts.finalize_options(self)
                     self.set_undefined_options('install',
                                                ('install_lib', 'install_lib'))
                 def run(self):
                     install_scripts.run(self)
                     if (os.path.splitdrive(self.install_dir)[0] !=
                         os.path.splitdrive(self.install_lib)[0]):
                         # can't make relative paths from one drive to another, so use an
                         # absolute path instead
                         libdir = self.install_lib
                     else:
                         common = os.path.commonprefix((self.install_dir, self.install_lib))
                         rest = self.install_dir[len(common):]
                         uplevel = len([n for n in os.path.split(rest) if n])
                         libdir =  uplevel * ('..' + os.sep) + self.install_lib[len(common):]
                     for outfile in self.outfiles:
                         fp = open(outfile, 'rb')
                         data = fp.read()
                         fp.close()
                         # skip binary files
                         if b('\0') in data:
                             continue
                         data = data.replace(b('@LIBDIR@'), libdir.encode(libdir_escape))
                         fp = open(outfile, 'wb')
                         fp.write(data)
                         fp.close()
             cmdclass = {'build': hgbuild,
                         'build_mo': hgbuildmo,
                         'build_ext': hgbuildext,
                         'build_py': hgbuildpy,
                         'build_hgextindex': buildhgextindex,
                         'install_scripts': hginstallscripts,
                         'build_hgexe': buildhgexe,
                         }
             packages = ['mercurial', 'mercurial.hgweb', 'mercurial.httpclient',
                         'hgext', 'hgext.convert', 'hgext.highlight', 'hgext.zeroconf',
                         'hgext.largefiles']
             pymodules = []
             common_depends = ['mercurial/util.h']
             extmodules = [
                 Extension('mercurial.base85', ['mercurial/base85.c'],
                           depends=common_depends),
                 Extension('mercurial.bdiff', ['mercurial/bdiff.c'],
                           depends=common_depends),
                 Extension('mercurial.diffhelpers', ['mercurial/diffhelpers.c'],
                           depends=common_depends),
                 Extension('mercurial.mpatch', ['mercurial/mpatch.c'],
                           depends=common_depends),
                 Extension('mercurial.parsers', ['mercurial/dirs.c',
                                                 'mercurial/parsers.c',
                                                 'mercurial/pathencode.c'],
                           depends=common_depends),
                 ]
             osutil_ldflags = []
             if sys.platform == 'darwin':
                 osutil_ldflags += ['-framework', 'ApplicationServices']
             # disable osutil.c under windows + python 2.4 (issue1364)
             if sys.platform == 'win32' and sys.version_info < (2, 5, 0, 'final'):
                 pymodules.append('mercurial.pure.osutil')
             else:
                 extmodules.append(Extension('mercurial.osutil', ['mercurial/osutil.c'],
                                             extra_link_args=osutil_ldflags,
                                             depends=common_depends))
             # the -mno-cygwin option has been deprecated for years
             Mingw32CCompiler = cygwinccompiler.Mingw32CCompiler
             class HackedMingw32CCompiler(cygwinccompiler.Mingw32CCompiler):
                 def __init__(self, *args, **kwargs):
                     Mingw32CCompiler.__init__(self, *args, **kwargs)
                     for i in 'compiler compiler_so linker_exe linker_so'.split():
                         try:
                             getattr(self, i).remove('-mno-cygwin')
                         except ValueError:
                             pass
             cygwinccompiler.Mingw32CCompiler = HackedMingw32CCompiler
             packagedata = {'mercurial': ['locale/*/LC_MESSAGES/hg.mo',
-                                         'help/*.txt']}
+                                         'help/*.txt',
+                                         'dummycert.pem']}
             def ordinarypath(p):
                 return p and p[0] != '.' and p[-1] != '~'
             for root in ('templates',):
                 for curdir, dirs, files in os.walk(os.path.join('mercurial', root)):
                     curdir = curdir.split(os.sep, 1)[1]
                     dirs[:] = filter(ordinarypath, dirs)
                     for f in filter(ordinarypath, files):
                         f = os.path.join(curdir, f)
                         packagedata['mercurial'].append(f)
             datafiles = []
             setupversion = version
             extra = {}
             if py2exeloaded:
                 extra['console'] = [
                     {'script':'hg',
                      'copyright':'Copyright (C) 2005-2010 Matt Mackall and others',
                      'product_version':version}]
                 # sub command of 'build' because 'py2exe' does not handle sub_commands
                 build.sub_commands.insert(0, ('build_hgextindex', None))
             if os.name == 'nt':
                 # Windows binary file versions for exe/dll files must have the
                 # form W.X.Y.Z, where W,X,Y,Z are numbers in the range 0..65535
                 setupversion = version.split('+', 1)[0]
             if sys.platform == 'darwin' and os.path.exists('/usr/bin/xcodebuild'):
                 version = runcmd(['/usr/bin/xcodebuild', '-version'], {})[0].splitlines()
                 if version:
                     version = version[0]
                     xcode4 = (version.startswith('Xcode') and
                               StrictVersion(version.split()[1]) >= StrictVersion('4.0'))
                     xcode51 = re.match(r'^Xcode\s+5\.1', version) is not None
                 else:
                     # xcodebuild returns empty on OS X Lion with XCode 4.3 not
                     # installed, but instead with only command-line tools. Assume
                     # that only happens on >= Lion, thus no PPC support.
                     xcode4 = True
                     xcode51 = False
                 # XCode 4.0 dropped support for ppc architecture, which is hardcoded in
                 # distutils.sysconfig
                 if xcode4:
                     os.environ['ARCHFLAGS'] = ''
                 # XCode 5.1 changes clang such that it now fails to compile if the
                 # -mno-fused-madd flag is passed, but the version of Python shipped with
                 # OS X 10.9 Mavericks includes this flag. This causes problems in all
                 # C extension modules, and a bug has been filed upstream at
                 # http://bugs.python.org/issue21244. We also need to patch this here
                 # so Mercurial can continue to compile in the meantime.
                 if xcode51:
                     cflags = get_config_var('CFLAGS')
                     if cflags and re.search(r'-mno-fused-madd\b', cflags) is not None:
                         os.environ['CFLAGS'] = (
                             os.environ.get('CFLAGS', '') + ' -Qunused-arguments')
             setup(name='mercurial',
                   version=setupversion,
                   author='Matt Mackall and many others',
                   author_email='mercurial@selenic.com',
                   url='http://mercurial.selenic.com/',
                   download_url='http://mercurial.selenic.com/release/',
                   description=('Fast scalable distributed SCM (revision control, version '
                                'control) system'),
                   long_description=('Mercurial is a distributed SCM tool written in Python.'
                                     ' It is used by a number of large projects that require'
                                     ' fast, reliable distributed revision control, such as '
                                     'Mozilla.'),
                   license='GNU GPLv2 or any later version',
                   classifiers=[
                       'Development Status :: 6 - Mature',
                       'Environment :: Console',
                       'Intended Audience :: Developers',
                       'Intended Audience :: System Administrators',
                       'License :: OSI Approved :: GNU General Public License (GPL)',
                       'Natural Language :: Danish',
                       'Natural Language :: English',
                       'Natural Language :: German',
                       'Natural Language :: Italian',
                       'Natural Language :: Japanese',
                       'Natural Language :: Portuguese (Brazilian)',
                       'Operating System :: Microsoft :: Windows',
                       'Operating System :: OS Independent',
                       'Operating System :: POSIX',
                       'Programming Language :: C',
                       'Programming Language :: Python',
                       'Topic :: Software Development :: Version Control',
                   ],
                   scripts=scripts,
                   packages=packages,
                   py_modules=pymodules,
                   ext_modules=extmodules,
                   data_files=datafiles,
                   package_data=packagedata,
                   cmdclass=cmdclass,
                   distclass=hgdist,
                   options={'py2exe': {'packages': ['hgext', 'email']},
                            'bdist_mpkg': {'zipdist': False,
                                           'license': 'COPYING',
                                           'readme': 'contrib/macosx/Readme.html',
                                           'welcome': 'contrib/macosx/Welcome.html',
                                           },
                            },
                   **extra)

tests/hghave.py

0 +4 0

             import os, stat
             import re
             import sys
             import tempfile
             tempprefix = 'hg-hghave-'
             checks = {
                 "true": (lambda: True, "yak shaving"),
                 "false": (lambda: False, "nail clipper"),
             }
             def check(name, desc):
                 def decorator(func):
                     checks[name] = (func, desc)
                     return func
                 return decorator
             def matchoutput(cmd, regexp, ignorestatus=False):
                 """Return True if cmd executes successfully and its output
                 is matched by the supplied regular expression.
                 """
                 r = re.compile(regexp)
                 fh = os.popen(cmd)
                 s = fh.read()
                 try:
                     ret = fh.close()
                 except IOError:
                     # Happen in Windows test environment
                     ret = 1
                 return (ignorestatus or ret is None) and r.search(s)
             @check("baz", "GNU Arch baz client")
             def has_baz():
                 return matchoutput('baz --version 2>&1', r'baz Bazaar version')
             @check("bzr", "Canonical's Bazaar client")
             def has_bzr():
                 try:
                     import bzrlib
                     return bzrlib.__doc__ is not None
                 except ImportError:
                     return False
             @check("bzr114", "Canonical's Bazaar client >= 1.14")
             def has_bzr114():
                 try:
                     import bzrlib
                     return (bzrlib.__doc__ is not None
                             and bzrlib.version_info[:2] >= (1, 14))
                 except ImportError:
                     return False
             @check("cvs", "cvs client/server")
             def has_cvs():
                 re = r'Concurrent Versions System.*?server'
                 return matchoutput('cvs --version 2>&1', re) and not has_msys()
             @check("cvs112", "cvs client/server >= 1.12")
             def has_cvs112():
                 re = r'Concurrent Versions System \(CVS\) 1.12.*?server'
                 return matchoutput('cvs --version 2>&1', re) and not has_msys()
             @check("darcs", "darcs client")
             def has_darcs():
                 return matchoutput('darcs --version', r'2\.[2-9]', True)
             @check("mtn", "monotone client (>= 1.0)")
             def has_mtn():
                 return matchoutput('mtn --version', r'monotone', True) and not matchoutput(
                     'mtn --version', r'monotone 0\.', True)
             @check("eol-in-paths", "end-of-lines in paths")
             def has_eol_in_paths():
                 try:
                     fd, path = tempfile.mkstemp(dir='.', prefix=tempprefix, suffix='\n\r')
                     os.close(fd)
                     os.remove(path)
                     return True
                 except (IOError, OSError):
                     return False
             @check("execbit", "executable bit")
             def has_executablebit():
                 try:
                     EXECFLAGS = stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH
                     fh, fn = tempfile.mkstemp(dir='.', prefix=tempprefix)
                     try:
                         os.close(fh)
                         m = os.stat(fn).st_mode & 0777
                         new_file_has_exec = m & EXECFLAGS
                         os.chmod(fn, m ^ EXECFLAGS)
                         exec_flags_cannot_flip = ((os.stat(fn).st_mode & 0777) == m)
                     finally:
                         os.unlink(fn)
                 except (IOError, OSError):
                     # we don't care, the user probably won't be able to commit anyway
                     return False
                 return not (new_file_has_exec or exec_flags_cannot_flip)
             @check("icasefs", "case insensitive file system")
             def has_icasefs():
                 # Stolen from mercurial.util
                 fd, path = tempfile.mkstemp(dir='.', prefix=tempprefix)
                 os.close(fd)
                 try:
                     s1 = os.stat(path)
                     d, b = os.path.split(path)
                     p2 = os.path.join(d, b.upper())
                     if path == p2:
                         p2 = os.path.join(d, b.lower())
                     try:
                         s2 = os.stat(p2)
                         return s2 == s1
                     except OSError:
                         return False
                 finally:
                     os.remove(path)
             @check("fifo", "named pipes")
             def has_fifo():
                 if getattr(os, "mkfifo", None) is None:
                     return False
                 name = tempfile.mktemp(dir='.', prefix=tempprefix)
                 try:
                     os.mkfifo(name)
                     os.unlink(name)
                     return True
                 except OSError:
                     return False
             @check("killdaemons", 'killdaemons.py support')
             def has_killdaemons():
                 return True
             @check("cacheable", "cacheable filesystem")
             def has_cacheable_fs():
                 from mercurial import util
                 fd, path = tempfile.mkstemp(dir='.', prefix=tempprefix)
                 os.close(fd)
                 try:
                     return util.cachestat(path).cacheable()
                 finally:
                     os.remove(path)
             @check("lsprof", "python lsprof module")
             def has_lsprof():
                 try:
                     import _lsprof
                     _lsprof.Profiler # silence unused import warning
                     return True
                 except ImportError:
                     return False
             @check("gettext", "GNU Gettext (msgfmt)")
             def has_gettext():
                 return matchoutput('msgfmt --version', 'GNU gettext-tools')
             @check("git", "git command line client")
             def has_git():
                 return matchoutput('git --version 2>&1', r'^git version')
             @check("docutils", "Docutils text processing library")
             def has_docutils():
                 try:
                     from docutils.core import publish_cmdline
                     publish_cmdline # silence unused import
                     return True
                 except ImportError:
                     return False
             def getsvnversion():
                 m = matchoutput('svn --version --quiet 2>&1', r'^(\d+)\.(\d+)')
                 if not m:
                     return (0, 0)
                 return (int(m.group(1)), int(m.group(2)))
             @check("svn15", "subversion client and admin tools >= 1.5")
             def has_svn15():
                 return getsvnversion() >= (1, 5)
             @check("svn13", "subversion client and admin tools >= 1.3")
             def has_svn13():
                 return getsvnversion() >= (1, 3)
             @check("svn", "subversion client and admin tools")
             def has_svn():
                 return matchoutput('svn --version 2>&1', r'^svn, version') and \
                     matchoutput('svnadmin --version 2>&1', r'^svnadmin, version')
             @check("svn-bindings", "subversion python bindings")
             def has_svn_bindings():
                 try:
                     import svn.core
                     version = svn.core.SVN_VER_MAJOR, svn.core.SVN_VER_MINOR
                     if version < (1, 4):
                         return False
                     return True
                 except ImportError:
                     return False
             @check("p4", "Perforce server and client")
             def has_p4():
                 return (matchoutput('p4 -V', r'Rev\. P4/') and
                         matchoutput('p4d -V', r'Rev\. P4D/'))
             @check("symlink", "symbolic links")
             def has_symlink():
                 if getattr(os, "symlink", None) is None:
                     return False
                 name = tempfile.mktemp(dir='.', prefix=tempprefix)
                 try:
                     os.symlink(".", name)
                     os.unlink(name)
                     return True
                 except (OSError, AttributeError):
                     return False
             @check("hardlink", "hardlinks")
             def has_hardlink():
                 from mercurial import util
                 fh, fn = tempfile.mkstemp(dir='.', prefix=tempprefix)
                 os.close(fh)
                 name = tempfile.mktemp(dir='.', prefix=tempprefix)
                 try:
                     try:
                         util.oslink(fn, name)
                         os.unlink(name)
                         return True
                     except OSError:
                         return False
                 finally:
                     os.unlink(fn)
             @check("tla", "GNU Arch tla client")
             def has_tla():
                 return matchoutput('tla --version 2>&1', r'The GNU Arch Revision')
             @check("gpg", "gpg client")
             def has_gpg():
                 return matchoutput('gpg --version 2>&1', r'GnuPG')
             @check("unix-permissions", "unix-style permissions")
             def has_unix_permissions():
                 d = tempfile.mkdtemp(dir='.', prefix=tempprefix)
                 try:
                     fname = os.path.join(d, 'foo')
                     for umask in (077, 007, 022):
                         os.umask(umask)
                         f = open(fname, 'w')
                         f.close()
                         mode = os.stat(fname).st_mode
                         os.unlink(fname)
                         if mode & 0777 != ~umask & 0666:
                             return False
                     return True
                 finally:
                     os.rmdir(d)
             @check("root", "root permissions")
             def has_root():
                 return getattr(os, 'geteuid', None) and os.geteuid() == 0
             @check("pyflakes", "Pyflakes python linter")
             def has_pyflakes():
                 return matchoutput("sh -c \"echo 'import re' 2>&1 | pyflakes\"",
                                    r"<stdin>:1: 're' imported but unused",
                                    True)
             @check("pygments", "Pygments source highlighting library")
             def has_pygments():
                 try:
                     import pygments
                     pygments.highlight # silence unused import warning
                     return True
                 except ImportError:
                     return False
             @check("python243", "python >= 2.4.3")
             def has_python243():
                 return sys.version_info >= (2, 4, 3)
             @check("outer-repo", "outer repo")
             def has_outer_repo():
                 # failing for other reasons than 'no repo' imply that there is a repo
                 return not matchoutput('hg root 2>&1',
                                        r'abort: no repository found', True)
             @check("ssl", "python >= 2.6 ssl module and python OpenSSL")
             def has_ssl():
                 try:
                     import ssl
                     ssl.wrap_socket # silence unused import warning
                     import OpenSSL
                     OpenSSL.SSL.Context
                     return True
                 except ImportError:
                     return False
             @check("windows", "Windows")
             def has_windows():
                 return os.name == 'nt'
             @check("system-sh", "system() uses sh")
             def has_system_sh():
                 return os.name != 'nt'
             @check("serve", "platform and python can manage 'hg serve -d'")
             def has_serve():
                 return os.name != 'nt' # gross approximation
             @check("test-repo", "running tests from repository")
             def has_test_repo():
                 t = os.environ["TESTDIR"]
                 return os.path.isdir(os.path.join(t, "..", ".hg"))
             @check("tic", "terminfo compiler and curses module")
             def has_tic():
                 try:
                     import curses
                     curses.COLOR_BLUE
                     return matchoutput('test -x "`which tic`"', '')
                 except ImportError:
                     return False
             @check("msys", "Windows with MSYS")
             def has_msys():
                 return os.getenv('MSYSTEM')
             @check("aix", "AIX")
             def has_aix():
                 return sys.platform.startswith("aix")
+            @check("osx", "OS X")
+            def has_osx():
+                return sys.platform == 'darwin'
             @check("absimport", "absolute_import in __future__")
             def has_absimport():
                 import __future__
                 from mercurial import util
                 return util.safehasattr(__future__, "absolute_import")
             @check("py3k", "running with Python 3.x")
             def has_py3k():
                 return 3 == sys.version_info[0]

tests/test-https.t

0 +13 -2

             #require serve ssl
             Proper https client requires the built-in ssl from Python 2.6.
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat << EOT > pub-other.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
               > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
               > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
               > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
               > -----END CERTIFICATE-----
               > EOT
             pub.pem patched with other notBefore / notAfter:
               $ cat << EOT > pub-not-yet.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
               > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
               > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
               $ cat << EOT > pub-expired.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
               > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
               > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-expired.pem > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             cacert not found
               $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
               abort: could not find web.cacerts: no-such.pem
               [255]
             Test server address cannot be reused
             #if windows
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT':
               [255]
             #else
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
             #endif
               $ cd ..
+            OS X has a dummy CA cert that enables use of the system CA store
+              $ DISABLEOSXDUMMYCERT=
+            #if osx
+              $ hg clone https://localhost:$HGPORT/ copy-pull
+              abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
+              [255]
+              $ DISABLEOSXDUMMYCERT="--config=web.cacerts="
+            #endif
             clone via pull
-              $ hg clone https://localhost:$HGPORT/ copy-pull
+              $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc
-              $ hg pull
+              $ hg pull $DISABLEOSXDUMMYCERT
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P=`pwd` hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ P=`pwd` hg -R copy-pull pull --insecure
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost
               (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
               warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             Test server cert which isn't valid yet
               $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which no longer is valid
               $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Fingerprints
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
               $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
             - works without cacerts
               $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
 fed3813f7f5
             - fails when cert doesn't match hostname (port is ignored)
               $ hg -R copy-pull id https://localhost:$HGPORT1/
               abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
               (check hostfingerprint configuration)
               [255]
             - ignores that certificate doesn't match hostname
               $ hg -R copy-pull id https://127.0.0.1:$HGPORT/
 fed3813f7f5
             HGPORT1 is reused below for tinyproxy tests. Kill that server.
               $ "$TESTDIR/killdaemons.py" hg1.pid
             Prepare for connecting through proxy
               $ "$TESTDIR/tinyproxy.py" $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
               $ while [ ! -f proxy.pid ]; do sleep 0; done
               $ cat proxy.pid >> $DAEMON_PIDS
               $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
               $ echo "always=True" >> copy-pull/.hg/hgrc
               $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
               $ echo "localhost =" >> copy-pull/.hg/hgrc
             Test unvalidated https through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
               warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             Test https with cacert and fingerprint through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/
               pulling from https://127.0.0.1:$HGPORT/
               searching for changes
               no changes found
             Test https with cert problems through proxy
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
               $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages