##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: allow fingerprints to be specified in [hostsecurity]...
Gregory Szorc -
r29267:f0ccb6cd default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,2092 +1,2127
1 The Mercurial system uses a set of configuration files to control
1 The Mercurial system uses a set of configuration files to control
2 aspects of its behavior.
2 aspects of its behavior.
3
3
4 Troubleshooting
4 Troubleshooting
5 ===============
5 ===============
6
6
7 If you're having problems with your configuration,
7 If you're having problems with your configuration,
8 :hg:`config --debug` can help you understand what is introducing
8 :hg:`config --debug` can help you understand what is introducing
9 a setting into your environment.
9 a setting into your environment.
10
10
11 See :hg:`help config.syntax` and :hg:`help config.files`
11 See :hg:`help config.syntax` and :hg:`help config.files`
12 for information about how and where to override things.
12 for information about how and where to override things.
13
13
14 Structure
14 Structure
15 =========
15 =========
16
16
17 The configuration files use a simple ini-file format. A configuration
17 The configuration files use a simple ini-file format. A configuration
18 file consists of sections, led by a ``[section]`` header and followed
18 file consists of sections, led by a ``[section]`` header and followed
19 by ``name = value`` entries::
19 by ``name = value`` entries::
20
20
21 [ui]
21 [ui]
22 username = Firstname Lastname <firstname.lastname@example.net>
22 username = Firstname Lastname <firstname.lastname@example.net>
23 verbose = True
23 verbose = True
24
24
25 The above entries will be referred to as ``ui.username`` and
25 The above entries will be referred to as ``ui.username`` and
26 ``ui.verbose``, respectively. See :hg:`help config.syntax`.
26 ``ui.verbose``, respectively. See :hg:`help config.syntax`.
27
27
28 Files
28 Files
29 =====
29 =====
30
30
31 Mercurial reads configuration data from several files, if they exist.
31 Mercurial reads configuration data from several files, if they exist.
32 These files do not exist by default and you will have to create the
32 These files do not exist by default and you will have to create the
33 appropriate configuration files yourself:
33 appropriate configuration files yourself:
34
34
35 Local configuration is put into the per-repository ``<repo>/.hg/hgrc`` file.
35 Local configuration is put into the per-repository ``<repo>/.hg/hgrc`` file.
36
36
37 Global configuration like the username setting is typically put into:
37 Global configuration like the username setting is typically put into:
38
38
39 .. container:: windows
39 .. container:: windows
40
40
41 - ``%USERPROFILE%\mercurial.ini`` (on Windows)
41 - ``%USERPROFILE%\mercurial.ini`` (on Windows)
42
42
43 .. container:: unix.plan9
43 .. container:: unix.plan9
44
44
45 - ``$HOME/.hgrc`` (on Unix, Plan9)
45 - ``$HOME/.hgrc`` (on Unix, Plan9)
46
46
47 The names of these files depend on the system on which Mercurial is
47 The names of these files depend on the system on which Mercurial is
48 installed. ``*.rc`` files from a single directory are read in
48 installed. ``*.rc`` files from a single directory are read in
49 alphabetical order, later ones overriding earlier ones. Where multiple
49 alphabetical order, later ones overriding earlier ones. Where multiple
50 paths are given below, settings from earlier paths override later
50 paths are given below, settings from earlier paths override later
51 ones.
51 ones.
52
52
53 .. container:: verbose.unix
53 .. container:: verbose.unix
54
54
55 On Unix, the following files are consulted:
55 On Unix, the following files are consulted:
56
56
57 - ``<repo>/.hg/hgrc`` (per-repository)
57 - ``<repo>/.hg/hgrc`` (per-repository)
58 - ``$HOME/.hgrc`` (per-user)
58 - ``$HOME/.hgrc`` (per-user)
59 - ``<install-root>/etc/mercurial/hgrc`` (per-installation)
59 - ``<install-root>/etc/mercurial/hgrc`` (per-installation)
60 - ``<install-root>/etc/mercurial/hgrc.d/*.rc`` (per-installation)
60 - ``<install-root>/etc/mercurial/hgrc.d/*.rc`` (per-installation)
61 - ``/etc/mercurial/hgrc`` (per-system)
61 - ``/etc/mercurial/hgrc`` (per-system)
62 - ``/etc/mercurial/hgrc.d/*.rc`` (per-system)
62 - ``/etc/mercurial/hgrc.d/*.rc`` (per-system)
63 - ``<internal>/default.d/*.rc`` (defaults)
63 - ``<internal>/default.d/*.rc`` (defaults)
64
64
65 .. container:: verbose.windows
65 .. container:: verbose.windows
66
66
67 On Windows, the following files are consulted:
67 On Windows, the following files are consulted:
68
68
69 - ``<repo>/.hg/hgrc`` (per-repository)
69 - ``<repo>/.hg/hgrc`` (per-repository)
70 - ``%USERPROFILE%\.hgrc`` (per-user)
70 - ``%USERPROFILE%\.hgrc`` (per-user)
71 - ``%USERPROFILE%\Mercurial.ini`` (per-user)
71 - ``%USERPROFILE%\Mercurial.ini`` (per-user)
72 - ``%HOME%\.hgrc`` (per-user)
72 - ``%HOME%\.hgrc`` (per-user)
73 - ``%HOME%\Mercurial.ini`` (per-user)
73 - ``%HOME%\Mercurial.ini`` (per-user)
74 - ``HKEY_LOCAL_MACHINE\SOFTWARE\Mercurial`` (per-installation)
74 - ``HKEY_LOCAL_MACHINE\SOFTWARE\Mercurial`` (per-installation)
75 - ``<install-dir>\hgrc.d\*.rc`` (per-installation)
75 - ``<install-dir>\hgrc.d\*.rc`` (per-installation)
76 - ``<install-dir>\Mercurial.ini`` (per-installation)
76 - ``<install-dir>\Mercurial.ini`` (per-installation)
77 - ``<internal>/default.d/*.rc`` (defaults)
77 - ``<internal>/default.d/*.rc`` (defaults)
78
78
79 .. note::
79 .. note::
80
80
81 The registry key ``HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mercurial``
81 The registry key ``HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mercurial``
82 is used when running 32-bit Python on 64-bit Windows.
82 is used when running 32-bit Python on 64-bit Windows.
83
83
84 .. container:: windows
84 .. container:: windows
85
85
86 On Windows 9x, ``%HOME%`` is replaced by ``%APPDATA%``.
86 On Windows 9x, ``%HOME%`` is replaced by ``%APPDATA%``.
87
87
88 .. container:: verbose.plan9
88 .. container:: verbose.plan9
89
89
90 On Plan9, the following files are consulted:
90 On Plan9, the following files are consulted:
91
91
92 - ``<repo>/.hg/hgrc`` (per-repository)
92 - ``<repo>/.hg/hgrc`` (per-repository)
93 - ``$home/lib/hgrc`` (per-user)
93 - ``$home/lib/hgrc`` (per-user)
94 - ``<install-root>/lib/mercurial/hgrc`` (per-installation)
94 - ``<install-root>/lib/mercurial/hgrc`` (per-installation)
95 - ``<install-root>/lib/mercurial/hgrc.d/*.rc`` (per-installation)
95 - ``<install-root>/lib/mercurial/hgrc.d/*.rc`` (per-installation)
96 - ``/lib/mercurial/hgrc`` (per-system)
96 - ``/lib/mercurial/hgrc`` (per-system)
97 - ``/lib/mercurial/hgrc.d/*.rc`` (per-system)
97 - ``/lib/mercurial/hgrc.d/*.rc`` (per-system)
98 - ``<internal>/default.d/*.rc`` (defaults)
98 - ``<internal>/default.d/*.rc`` (defaults)
99
99
100 Per-repository configuration options only apply in a
100 Per-repository configuration options only apply in a
101 particular repository. This file is not version-controlled, and
101 particular repository. This file is not version-controlled, and
102 will not get transferred during a "clone" operation. Options in
102 will not get transferred during a "clone" operation. Options in
103 this file override options in all other configuration files.
103 this file override options in all other configuration files.
104
104
105 .. container:: unix.plan9
105 .. container:: unix.plan9
106
106
107 On Plan 9 and Unix, most of this file will be ignored if it doesn't
107 On Plan 9 and Unix, most of this file will be ignored if it doesn't
108 belong to a trusted user or to a trusted group. See
108 belong to a trusted user or to a trusted group. See
109 :hg:`help config.trusted` for more details.
109 :hg:`help config.trusted` for more details.
110
110
111 Per-user configuration file(s) are for the user running Mercurial. Options
111 Per-user configuration file(s) are for the user running Mercurial. Options
112 in these files apply to all Mercurial commands executed by this user in any
112 in these files apply to all Mercurial commands executed by this user in any
113 directory. Options in these files override per-system and per-installation
113 directory. Options in these files override per-system and per-installation
114 options.
114 options.
115
115
116 Per-installation configuration files are searched for in the
116 Per-installation configuration files are searched for in the
117 directory where Mercurial is installed. ``<install-root>`` is the
117 directory where Mercurial is installed. ``<install-root>`` is the
118 parent directory of the **hg** executable (or symlink) being run.
118 parent directory of the **hg** executable (or symlink) being run.
119
119
120 .. container:: unix.plan9
120 .. container:: unix.plan9
121
121
122 For example, if installed in ``/shared/tools/bin/hg``, Mercurial
122 For example, if installed in ``/shared/tools/bin/hg``, Mercurial
123 will look in ``/shared/tools/etc/mercurial/hgrc``. Options in these
123 will look in ``/shared/tools/etc/mercurial/hgrc``. Options in these
124 files apply to all Mercurial commands executed by any user in any
124 files apply to all Mercurial commands executed by any user in any
125 directory.
125 directory.
126
126
127 Per-installation configuration files are for the system on
127 Per-installation configuration files are for the system on
128 which Mercurial is running. Options in these files apply to all
128 which Mercurial is running. Options in these files apply to all
129 Mercurial commands executed by any user in any directory. Registry
129 Mercurial commands executed by any user in any directory. Registry
130 keys contain PATH-like strings, every part of which must reference
130 keys contain PATH-like strings, every part of which must reference
131 a ``Mercurial.ini`` file or be a directory where ``*.rc`` files will
131 a ``Mercurial.ini`` file or be a directory where ``*.rc`` files will
132 be read. Mercurial checks each of these locations in the specified
132 be read. Mercurial checks each of these locations in the specified
133 order until one or more configuration files are detected.
133 order until one or more configuration files are detected.
134
134
135 Per-system configuration files are for the system on which Mercurial
135 Per-system configuration files are for the system on which Mercurial
136 is running. Options in these files apply to all Mercurial commands
136 is running. Options in these files apply to all Mercurial commands
137 executed by any user in any directory. Options in these files
137 executed by any user in any directory. Options in these files
138 override per-installation options.
138 override per-installation options.
139
139
140 Mercurial comes with some default configuration. The default configuration
140 Mercurial comes with some default configuration. The default configuration
141 files are installed with Mercurial and will be overwritten on upgrades. Default
141 files are installed with Mercurial and will be overwritten on upgrades. Default
142 configuration files should never be edited by users or administrators but can
142 configuration files should never be edited by users or administrators but can
143 be overridden in other configuration files. So far the directory only contains
143 be overridden in other configuration files. So far the directory only contains
144 merge tool configuration but packagers can also put other default configuration
144 merge tool configuration but packagers can also put other default configuration
145 there.
145 there.
146
146
147 Syntax
147 Syntax
148 ======
148 ======
149
149
150 A configuration file consists of sections, led by a ``[section]`` header
150 A configuration file consists of sections, led by a ``[section]`` header
151 and followed by ``name = value`` entries (sometimes called
151 and followed by ``name = value`` entries (sometimes called
152 ``configuration keys``)::
152 ``configuration keys``)::
153
153
154 [spam]
154 [spam]
155 eggs=ham
155 eggs=ham
156 green=
156 green=
157 eggs
157 eggs
158
158
159 Each line contains one entry. If the lines that follow are indented,
159 Each line contains one entry. If the lines that follow are indented,
160 they are treated as continuations of that entry. Leading whitespace is
160 they are treated as continuations of that entry. Leading whitespace is
161 removed from values. Empty lines are skipped. Lines beginning with
161 removed from values. Empty lines are skipped. Lines beginning with
162 ``#`` or ``;`` are ignored and may be used to provide comments.
162 ``#`` or ``;`` are ignored and may be used to provide comments.
163
163
164 Configuration keys can be set multiple times, in which case Mercurial
164 Configuration keys can be set multiple times, in which case Mercurial
165 will use the value that was configured last. As an example::
165 will use the value that was configured last. As an example::
166
166
167 [spam]
167 [spam]
168 eggs=large
168 eggs=large
169 ham=serrano
169 ham=serrano
170 eggs=small
170 eggs=small
171
171
172 This would set the configuration key named ``eggs`` to ``small``.
172 This would set the configuration key named ``eggs`` to ``small``.
173
173
174 It is also possible to define a section multiple times. A section can
174 It is also possible to define a section multiple times. A section can
175 be redefined on the same and/or on different configuration files. For
175 be redefined on the same and/or on different configuration files. For
176 example::
176 example::
177
177
178 [foo]
178 [foo]
179 eggs=large
179 eggs=large
180 ham=serrano
180 ham=serrano
181 eggs=small
181 eggs=small
182
182
183 [bar]
183 [bar]
184 eggs=ham
184 eggs=ham
185 green=
185 green=
186 eggs
186 eggs
187
187
188 [foo]
188 [foo]
189 ham=prosciutto
189 ham=prosciutto
190 eggs=medium
190 eggs=medium
191 bread=toasted
191 bread=toasted
192
192
193 This would set the ``eggs``, ``ham``, and ``bread`` configuration keys
193 This would set the ``eggs``, ``ham``, and ``bread`` configuration keys
194 of the ``foo`` section to ``medium``, ``prosciutto``, and ``toasted``,
194 of the ``foo`` section to ``medium``, ``prosciutto``, and ``toasted``,
195 respectively. As you can see there only thing that matters is the last
195 respectively. As you can see there only thing that matters is the last
196 value that was set for each of the configuration keys.
196 value that was set for each of the configuration keys.
197
197
198 If a configuration key is set multiple times in different
198 If a configuration key is set multiple times in different
199 configuration files the final value will depend on the order in which
199 configuration files the final value will depend on the order in which
200 the different configuration files are read, with settings from earlier
200 the different configuration files are read, with settings from earlier
201 paths overriding later ones as described on the ``Files`` section
201 paths overriding later ones as described on the ``Files`` section
202 above.
202 above.
203
203
204 A line of the form ``%include file`` will include ``file`` into the
204 A line of the form ``%include file`` will include ``file`` into the
205 current configuration file. The inclusion is recursive, which means
205 current configuration file. The inclusion is recursive, which means
206 that included files can include other files. Filenames are relative to
206 that included files can include other files. Filenames are relative to
207 the configuration file in which the ``%include`` directive is found.
207 the configuration file in which the ``%include`` directive is found.
208 Environment variables and ``~user`` constructs are expanded in
208 Environment variables and ``~user`` constructs are expanded in
209 ``file``. This lets you do something like::
209 ``file``. This lets you do something like::
210
210
211 %include ~/.hgrc.d/$HOST.rc
211 %include ~/.hgrc.d/$HOST.rc
212
212
213 to include a different configuration file on each computer you use.
213 to include a different configuration file on each computer you use.
214
214
215 A line with ``%unset name`` will remove ``name`` from the current
215 A line with ``%unset name`` will remove ``name`` from the current
216 section, if it has been set previously.
216 section, if it has been set previously.
217
217
218 The values are either free-form text strings, lists of text strings,
218 The values are either free-form text strings, lists of text strings,
219 or Boolean values. Boolean values can be set to true using any of "1",
219 or Boolean values. Boolean values can be set to true using any of "1",
220 "yes", "true", or "on" and to false using "0", "no", "false", or "off"
220 "yes", "true", or "on" and to false using "0", "no", "false", or "off"
221 (all case insensitive).
221 (all case insensitive).
222
222
223 List values are separated by whitespace or comma, except when values are
223 List values are separated by whitespace or comma, except when values are
224 placed in double quotation marks::
224 placed in double quotation marks::
225
225
226 allow_read = "John Doe, PhD", brian, betty
226 allow_read = "John Doe, PhD", brian, betty
227
227
228 Quotation marks can be escaped by prefixing them with a backslash. Only
228 Quotation marks can be escaped by prefixing them with a backslash. Only
229 quotation marks at the beginning of a word is counted as a quotation
229 quotation marks at the beginning of a word is counted as a quotation
230 (e.g., ``foo"bar baz`` is the list of ``foo"bar`` and ``baz``).
230 (e.g., ``foo"bar baz`` is the list of ``foo"bar`` and ``baz``).
231
231
232 Sections
232 Sections
233 ========
233 ========
234
234
235 This section describes the different sections that may appear in a
235 This section describes the different sections that may appear in a
236 Mercurial configuration file, the purpose of each section, its possible
236 Mercurial configuration file, the purpose of each section, its possible
237 keys, and their possible values.
237 keys, and their possible values.
238
238
239 ``alias``
239 ``alias``
240 ---------
240 ---------
241
241
242 Defines command aliases.
242 Defines command aliases.
243
243
244 Aliases allow you to define your own commands in terms of other
244 Aliases allow you to define your own commands in terms of other
245 commands (or aliases), optionally including arguments. Positional
245 commands (or aliases), optionally including arguments. Positional
246 arguments in the form of ``$1``, ``$2``, etc. in the alias definition
246 arguments in the form of ``$1``, ``$2``, etc. in the alias definition
247 are expanded by Mercurial before execution. Positional arguments not
247 are expanded by Mercurial before execution. Positional arguments not
248 already used by ``$N`` in the definition are put at the end of the
248 already used by ``$N`` in the definition are put at the end of the
249 command to be executed.
249 command to be executed.
250
250
251 Alias definitions consist of lines of the form::
251 Alias definitions consist of lines of the form::
252
252
253 <alias> = <command> [<argument>]...
253 <alias> = <command> [<argument>]...
254
254
255 For example, this definition::
255 For example, this definition::
256
256
257 latest = log --limit 5
257 latest = log --limit 5
258
258
259 creates a new command ``latest`` that shows only the five most recent
259 creates a new command ``latest`` that shows only the five most recent
260 changesets. You can define subsequent aliases using earlier ones::
260 changesets. You can define subsequent aliases using earlier ones::
261
261
262 stable5 = latest -b stable
262 stable5 = latest -b stable
263
263
264 .. note::
264 .. note::
265
265
266 It is possible to create aliases with the same names as
266 It is possible to create aliases with the same names as
267 existing commands, which will then override the original
267 existing commands, which will then override the original
268 definitions. This is almost always a bad idea!
268 definitions. This is almost always a bad idea!
269
269
270 An alias can start with an exclamation point (``!``) to make it a
270 An alias can start with an exclamation point (``!``) to make it a
271 shell alias. A shell alias is executed with the shell and will let you
271 shell alias. A shell alias is executed with the shell and will let you
272 run arbitrary commands. As an example, ::
272 run arbitrary commands. As an example, ::
273
273
274 echo = !echo $@
274 echo = !echo $@
275
275
276 will let you do ``hg echo foo`` to have ``foo`` printed in your
276 will let you do ``hg echo foo`` to have ``foo`` printed in your
277 terminal. A better example might be::
277 terminal. A better example might be::
278
278
279 purge = !$HG status --no-status --unknown -0 re: | xargs -0 rm
279 purge = !$HG status --no-status --unknown -0 re: | xargs -0 rm
280
280
281 which will make ``hg purge`` delete all unknown files in the
281 which will make ``hg purge`` delete all unknown files in the
282 repository in the same manner as the purge extension.
282 repository in the same manner as the purge extension.
283
283
284 Positional arguments like ``$1``, ``$2``, etc. in the alias definition
284 Positional arguments like ``$1``, ``$2``, etc. in the alias definition
285 expand to the command arguments. Unmatched arguments are
285 expand to the command arguments. Unmatched arguments are
286 removed. ``$0`` expands to the alias name and ``$@`` expands to all
286 removed. ``$0`` expands to the alias name and ``$@`` expands to all
287 arguments separated by a space. ``"$@"`` (with quotes) expands to all
287 arguments separated by a space. ``"$@"`` (with quotes) expands to all
288 arguments quoted individually and separated by a space. These expansions
288 arguments quoted individually and separated by a space. These expansions
289 happen before the command is passed to the shell.
289 happen before the command is passed to the shell.
290
290
291 Shell aliases are executed in an environment where ``$HG`` expands to
291 Shell aliases are executed in an environment where ``$HG`` expands to
292 the path of the Mercurial that was used to execute the alias. This is
292 the path of the Mercurial that was used to execute the alias. This is
293 useful when you want to call further Mercurial commands in a shell
293 useful when you want to call further Mercurial commands in a shell
294 alias, as was done above for the purge alias. In addition,
294 alias, as was done above for the purge alias. In addition,
295 ``$HG_ARGS`` expands to the arguments given to Mercurial. In the ``hg
295 ``$HG_ARGS`` expands to the arguments given to Mercurial. In the ``hg
296 echo foo`` call above, ``$HG_ARGS`` would expand to ``echo foo``.
296 echo foo`` call above, ``$HG_ARGS`` would expand to ``echo foo``.
297
297
298 .. note::
298 .. note::
299
299
300 Some global configuration options such as ``-R`` are
300 Some global configuration options such as ``-R`` are
301 processed before shell aliases and will thus not be passed to
301 processed before shell aliases and will thus not be passed to
302 aliases.
302 aliases.
303
303
304
304
305 ``annotate``
305 ``annotate``
306 ------------
306 ------------
307
307
308 Settings used when displaying file annotations. All values are
308 Settings used when displaying file annotations. All values are
309 Booleans and default to False. See :hg:`help config.diff` for
309 Booleans and default to False. See :hg:`help config.diff` for
310 related options for the diff command.
310 related options for the diff command.
311
311
312 ``ignorews``
312 ``ignorews``
313 Ignore white space when comparing lines.
313 Ignore white space when comparing lines.
314
314
315 ``ignorewsamount``
315 ``ignorewsamount``
316 Ignore changes in the amount of white space.
316 Ignore changes in the amount of white space.
317
317
318 ``ignoreblanklines``
318 ``ignoreblanklines``
319 Ignore changes whose lines are all blank.
319 Ignore changes whose lines are all blank.
320
320
321
321
322 ``auth``
322 ``auth``
323 --------
323 --------
324
324
325 Authentication credentials for HTTP authentication. This section
325 Authentication credentials for HTTP authentication. This section
326 allows you to store usernames and passwords for use when logging
326 allows you to store usernames and passwords for use when logging
327 *into* HTTP servers. See :hg:`help config.web` if
327 *into* HTTP servers. See :hg:`help config.web` if
328 you want to configure *who* can login to your HTTP server.
328 you want to configure *who* can login to your HTTP server.
329
329
330 Each line has the following format::
330 Each line has the following format::
331
331
332 <name>.<argument> = <value>
332 <name>.<argument> = <value>
333
333
334 where ``<name>`` is used to group arguments into authentication
334 where ``<name>`` is used to group arguments into authentication
335 entries. Example::
335 entries. Example::
336
336
337 foo.prefix = hg.intevation.de/mercurial
337 foo.prefix = hg.intevation.de/mercurial
338 foo.username = foo
338 foo.username = foo
339 foo.password = bar
339 foo.password = bar
340 foo.schemes = http https
340 foo.schemes = http https
341
341
342 bar.prefix = secure.example.org
342 bar.prefix = secure.example.org
343 bar.key = path/to/file.key
343 bar.key = path/to/file.key
344 bar.cert = path/to/file.cert
344 bar.cert = path/to/file.cert
345 bar.schemes = https
345 bar.schemes = https
346
346
347 Supported arguments:
347 Supported arguments:
348
348
349 ``prefix``
349 ``prefix``
350 Either ``*`` or a URI prefix with or without the scheme part.
350 Either ``*`` or a URI prefix with or without the scheme part.
351 The authentication entry with the longest matching prefix is used
351 The authentication entry with the longest matching prefix is used
352 (where ``*`` matches everything and counts as a match of length
352 (where ``*`` matches everything and counts as a match of length
353 1). If the prefix doesn't include a scheme, the match is performed
353 1). If the prefix doesn't include a scheme, the match is performed
354 against the URI with its scheme stripped as well, and the schemes
354 against the URI with its scheme stripped as well, and the schemes
355 argument, q.v., is then subsequently consulted.
355 argument, q.v., is then subsequently consulted.
356
356
357 ``username``
357 ``username``
358 Optional. Username to authenticate with. If not given, and the
358 Optional. Username to authenticate with. If not given, and the
359 remote site requires basic or digest authentication, the user will
359 remote site requires basic or digest authentication, the user will
360 be prompted for it. Environment variables are expanded in the
360 be prompted for it. Environment variables are expanded in the
361 username letting you do ``foo.username = $USER``. If the URI
361 username letting you do ``foo.username = $USER``. If the URI
362 includes a username, only ``[auth]`` entries with a matching
362 includes a username, only ``[auth]`` entries with a matching
363 username or without a username will be considered.
363 username or without a username will be considered.
364
364
365 ``password``
365 ``password``
366 Optional. Password to authenticate with. If not given, and the
366 Optional. Password to authenticate with. If not given, and the
367 remote site requires basic or digest authentication, the user
367 remote site requires basic or digest authentication, the user
368 will be prompted for it.
368 will be prompted for it.
369
369
370 ``key``
370 ``key``
371 Optional. PEM encoded client certificate key file. Environment
371 Optional. PEM encoded client certificate key file. Environment
372 variables are expanded in the filename.
372 variables are expanded in the filename.
373
373
374 ``cert``
374 ``cert``
375 Optional. PEM encoded client certificate chain file. Environment
375 Optional. PEM encoded client certificate chain file. Environment
376 variables are expanded in the filename.
376 variables are expanded in the filename.
377
377
378 ``schemes``
378 ``schemes``
379 Optional. Space separated list of URI schemes to use this
379 Optional. Space separated list of URI schemes to use this
380 authentication entry with. Only used if the prefix doesn't include
380 authentication entry with. Only used if the prefix doesn't include
381 a scheme. Supported schemes are http and https. They will match
381 a scheme. Supported schemes are http and https. They will match
382 static-http and static-https respectively, as well.
382 static-http and static-https respectively, as well.
383 (default: https)
383 (default: https)
384
384
385 If no suitable authentication entry is found, the user is prompted
385 If no suitable authentication entry is found, the user is prompted
386 for credentials as usual if required by the remote.
386 for credentials as usual if required by the remote.
387
387
388
388
389 ``committemplate``
389 ``committemplate``
390 ------------------
390 ------------------
391
391
392 ``changeset``
392 ``changeset``
393 String: configuration in this section is used as the template to
393 String: configuration in this section is used as the template to
394 customize the text shown in the editor when committing.
394 customize the text shown in the editor when committing.
395
395
396 In addition to pre-defined template keywords, commit log specific one
396 In addition to pre-defined template keywords, commit log specific one
397 below can be used for customization:
397 below can be used for customization:
398
398
399 ``extramsg``
399 ``extramsg``
400 String: Extra message (typically 'Leave message empty to abort
400 String: Extra message (typically 'Leave message empty to abort
401 commit.'). This may be changed by some commands or extensions.
401 commit.'). This may be changed by some commands or extensions.
402
402
403 For example, the template configuration below shows as same text as
403 For example, the template configuration below shows as same text as
404 one shown by default::
404 one shown by default::
405
405
406 [committemplate]
406 [committemplate]
407 changeset = {desc}\n\n
407 changeset = {desc}\n\n
408 HG: Enter commit message. Lines beginning with 'HG:' are removed.
408 HG: Enter commit message. Lines beginning with 'HG:' are removed.
409 HG: {extramsg}
409 HG: {extramsg}
410 HG: --
410 HG: --
411 HG: user: {author}\n{ifeq(p2rev, "-1", "",
411 HG: user: {author}\n{ifeq(p2rev, "-1", "",
412 "HG: branch merge\n")
412 "HG: branch merge\n")
413 }HG: branch '{branch}'\n{if(activebookmark,
413 }HG: branch '{branch}'\n{if(activebookmark,
414 "HG: bookmark '{activebookmark}'\n") }{subrepos %
414 "HG: bookmark '{activebookmark}'\n") }{subrepos %
415 "HG: subrepo {subrepo}\n" }{file_adds %
415 "HG: subrepo {subrepo}\n" }{file_adds %
416 "HG: added {file}\n" }{file_mods %
416 "HG: added {file}\n" }{file_mods %
417 "HG: changed {file}\n" }{file_dels %
417 "HG: changed {file}\n" }{file_dels %
418 "HG: removed {file}\n" }{if(files, "",
418 "HG: removed {file}\n" }{if(files, "",
419 "HG: no files changed\n")}
419 "HG: no files changed\n")}
420
420
421 .. note::
421 .. note::
422
422
423 For some problematic encodings (see :hg:`help win32mbcs` for
423 For some problematic encodings (see :hg:`help win32mbcs` for
424 detail), this customization should be configured carefully, to
424 detail), this customization should be configured carefully, to
425 avoid showing broken characters.
425 avoid showing broken characters.
426
426
427 For example, if a multibyte character ending with backslash (0x5c) is
427 For example, if a multibyte character ending with backslash (0x5c) is
428 followed by the ASCII character 'n' in the customized template,
428 followed by the ASCII character 'n' in the customized template,
429 the sequence of backslash and 'n' is treated as line-feed unexpectedly
429 the sequence of backslash and 'n' is treated as line-feed unexpectedly
430 (and the multibyte character is broken, too).
430 (and the multibyte character is broken, too).
431
431
432 Customized template is used for commands below (``--edit`` may be
432 Customized template is used for commands below (``--edit`` may be
433 required):
433 required):
434
434
435 - :hg:`backout`
435 - :hg:`backout`
436 - :hg:`commit`
436 - :hg:`commit`
437 - :hg:`fetch` (for merge commit only)
437 - :hg:`fetch` (for merge commit only)
438 - :hg:`graft`
438 - :hg:`graft`
439 - :hg:`histedit`
439 - :hg:`histedit`
440 - :hg:`import`
440 - :hg:`import`
441 - :hg:`qfold`, :hg:`qnew` and :hg:`qrefresh`
441 - :hg:`qfold`, :hg:`qnew` and :hg:`qrefresh`
442 - :hg:`rebase`
442 - :hg:`rebase`
443 - :hg:`shelve`
443 - :hg:`shelve`
444 - :hg:`sign`
444 - :hg:`sign`
445 - :hg:`tag`
445 - :hg:`tag`
446 - :hg:`transplant`
446 - :hg:`transplant`
447
447
448 Configuring items below instead of ``changeset`` allows showing
448 Configuring items below instead of ``changeset`` allows showing
449 customized message only for specific actions, or showing different
449 customized message only for specific actions, or showing different
450 messages for each action.
450 messages for each action.
451
451
452 - ``changeset.backout`` for :hg:`backout`
452 - ``changeset.backout`` for :hg:`backout`
453 - ``changeset.commit.amend.merge`` for :hg:`commit --amend` on merges
453 - ``changeset.commit.amend.merge`` for :hg:`commit --amend` on merges
454 - ``changeset.commit.amend.normal`` for :hg:`commit --amend` on other
454 - ``changeset.commit.amend.normal`` for :hg:`commit --amend` on other
455 - ``changeset.commit.normal.merge`` for :hg:`commit` on merges
455 - ``changeset.commit.normal.merge`` for :hg:`commit` on merges
456 - ``changeset.commit.normal.normal`` for :hg:`commit` on other
456 - ``changeset.commit.normal.normal`` for :hg:`commit` on other
457 - ``changeset.fetch`` for :hg:`fetch` (impling merge commit)
457 - ``changeset.fetch`` for :hg:`fetch` (impling merge commit)
458 - ``changeset.gpg.sign`` for :hg:`sign`
458 - ``changeset.gpg.sign`` for :hg:`sign`
459 - ``changeset.graft`` for :hg:`graft`
459 - ``changeset.graft`` for :hg:`graft`
460 - ``changeset.histedit.edit`` for ``edit`` of :hg:`histedit`
460 - ``changeset.histedit.edit`` for ``edit`` of :hg:`histedit`
461 - ``changeset.histedit.fold`` for ``fold`` of :hg:`histedit`
461 - ``changeset.histedit.fold`` for ``fold`` of :hg:`histedit`
462 - ``changeset.histedit.mess`` for ``mess`` of :hg:`histedit`
462 - ``changeset.histedit.mess`` for ``mess`` of :hg:`histedit`
463 - ``changeset.histedit.pick`` for ``pick`` of :hg:`histedit`
463 - ``changeset.histedit.pick`` for ``pick`` of :hg:`histedit`
464 - ``changeset.import.bypass`` for :hg:`import --bypass`
464 - ``changeset.import.bypass`` for :hg:`import --bypass`
465 - ``changeset.import.normal.merge`` for :hg:`import` on merges
465 - ``changeset.import.normal.merge`` for :hg:`import` on merges
466 - ``changeset.import.normal.normal`` for :hg:`import` on other
466 - ``changeset.import.normal.normal`` for :hg:`import` on other
467 - ``changeset.mq.qnew`` for :hg:`qnew`
467 - ``changeset.mq.qnew`` for :hg:`qnew`
468 - ``changeset.mq.qfold`` for :hg:`qfold`
468 - ``changeset.mq.qfold`` for :hg:`qfold`
469 - ``changeset.mq.qrefresh`` for :hg:`qrefresh`
469 - ``changeset.mq.qrefresh`` for :hg:`qrefresh`
470 - ``changeset.rebase.collapse`` for :hg:`rebase --collapse`
470 - ``changeset.rebase.collapse`` for :hg:`rebase --collapse`
471 - ``changeset.rebase.merge`` for :hg:`rebase` on merges
471 - ``changeset.rebase.merge`` for :hg:`rebase` on merges
472 - ``changeset.rebase.normal`` for :hg:`rebase` on other
472 - ``changeset.rebase.normal`` for :hg:`rebase` on other
473 - ``changeset.shelve.shelve`` for :hg:`shelve`
473 - ``changeset.shelve.shelve`` for :hg:`shelve`
474 - ``changeset.tag.add`` for :hg:`tag` without ``--remove``
474 - ``changeset.tag.add`` for :hg:`tag` without ``--remove``
475 - ``changeset.tag.remove`` for :hg:`tag --remove`
475 - ``changeset.tag.remove`` for :hg:`tag --remove`
476 - ``changeset.transplant.merge`` for :hg:`transplant` on merges
476 - ``changeset.transplant.merge`` for :hg:`transplant` on merges
477 - ``changeset.transplant.normal`` for :hg:`transplant` on other
477 - ``changeset.transplant.normal`` for :hg:`transplant` on other
478
478
479 These dot-separated lists of names are treated as hierarchical ones.
479 These dot-separated lists of names are treated as hierarchical ones.
480 For example, ``changeset.tag.remove`` customizes the commit message
480 For example, ``changeset.tag.remove`` customizes the commit message
481 only for :hg:`tag --remove`, but ``changeset.tag`` customizes the
481 only for :hg:`tag --remove`, but ``changeset.tag`` customizes the
482 commit message for :hg:`tag` regardless of ``--remove`` option.
482 commit message for :hg:`tag` regardless of ``--remove`` option.
483
483
484 When the external editor is invoked for a commit, the corresponding
484 When the external editor is invoked for a commit, the corresponding
485 dot-separated list of names without the ``changeset.`` prefix
485 dot-separated list of names without the ``changeset.`` prefix
486 (e.g. ``commit.normal.normal``) is in the ``HGEDITFORM`` environment
486 (e.g. ``commit.normal.normal``) is in the ``HGEDITFORM`` environment
487 variable.
487 variable.
488
488
489 In this section, items other than ``changeset`` can be referred from
489 In this section, items other than ``changeset`` can be referred from
490 others. For example, the configuration to list committed files up
490 others. For example, the configuration to list committed files up
491 below can be referred as ``{listupfiles}``::
491 below can be referred as ``{listupfiles}``::
492
492
493 [committemplate]
493 [committemplate]
494 listupfiles = {file_adds %
494 listupfiles = {file_adds %
495 "HG: added {file}\n" }{file_mods %
495 "HG: added {file}\n" }{file_mods %
496 "HG: changed {file}\n" }{file_dels %
496 "HG: changed {file}\n" }{file_dels %
497 "HG: removed {file}\n" }{if(files, "",
497 "HG: removed {file}\n" }{if(files, "",
498 "HG: no files changed\n")}
498 "HG: no files changed\n")}
499
499
500 ``decode/encode``
500 ``decode/encode``
501 -----------------
501 -----------------
502
502
503 Filters for transforming files on checkout/checkin. This would
503 Filters for transforming files on checkout/checkin. This would
504 typically be used for newline processing or other
504 typically be used for newline processing or other
505 localization/canonicalization of files.
505 localization/canonicalization of files.
506
506
507 Filters consist of a filter pattern followed by a filter command.
507 Filters consist of a filter pattern followed by a filter command.
508 Filter patterns are globs by default, rooted at the repository root.
508 Filter patterns are globs by default, rooted at the repository root.
509 For example, to match any file ending in ``.txt`` in the root
509 For example, to match any file ending in ``.txt`` in the root
510 directory only, use the pattern ``*.txt``. To match any file ending
510 directory only, use the pattern ``*.txt``. To match any file ending
511 in ``.c`` anywhere in the repository, use the pattern ``**.c``.
511 in ``.c`` anywhere in the repository, use the pattern ``**.c``.
512 For each file only the first matching filter applies.
512 For each file only the first matching filter applies.
513
513
514 The filter command can start with a specifier, either ``pipe:`` or
514 The filter command can start with a specifier, either ``pipe:`` or
515 ``tempfile:``. If no specifier is given, ``pipe:`` is used by default.
515 ``tempfile:``. If no specifier is given, ``pipe:`` is used by default.
516
516
517 A ``pipe:`` command must accept data on stdin and return the transformed
517 A ``pipe:`` command must accept data on stdin and return the transformed
518 data on stdout.
518 data on stdout.
519
519
520 Pipe example::
520 Pipe example::
521
521
522 [encode]
522 [encode]
523 # uncompress gzip files on checkin to improve delta compression
523 # uncompress gzip files on checkin to improve delta compression
524 # note: not necessarily a good idea, just an example
524 # note: not necessarily a good idea, just an example
525 *.gz = pipe: gunzip
525 *.gz = pipe: gunzip
526
526
527 [decode]
527 [decode]
528 # recompress gzip files when writing them to the working dir (we
528 # recompress gzip files when writing them to the working dir (we
529 # can safely omit "pipe:", because it's the default)
529 # can safely omit "pipe:", because it's the default)
530 *.gz = gzip
530 *.gz = gzip
531
531
532 A ``tempfile:`` command is a template. The string ``INFILE`` is replaced
532 A ``tempfile:`` command is a template. The string ``INFILE`` is replaced
533 with the name of a temporary file that contains the data to be
533 with the name of a temporary file that contains the data to be
534 filtered by the command. The string ``OUTFILE`` is replaced with the name
534 filtered by the command. The string ``OUTFILE`` is replaced with the name
535 of an empty temporary file, where the filtered data must be written by
535 of an empty temporary file, where the filtered data must be written by
536 the command.
536 the command.
537
537
538 .. container:: windows
538 .. container:: windows
539
539
540 .. note::
540 .. note::
541
541
542 The tempfile mechanism is recommended for Windows systems,
542 The tempfile mechanism is recommended for Windows systems,
543 where the standard shell I/O redirection operators often have
543 where the standard shell I/O redirection operators often have
544 strange effects and may corrupt the contents of your files.
544 strange effects and may corrupt the contents of your files.
545
545
546 This filter mechanism is used internally by the ``eol`` extension to
546 This filter mechanism is used internally by the ``eol`` extension to
547 translate line ending characters between Windows (CRLF) and Unix (LF)
547 translate line ending characters between Windows (CRLF) and Unix (LF)
548 format. We suggest you use the ``eol`` extension for convenience.
548 format. We suggest you use the ``eol`` extension for convenience.
549
549
550
550
551 ``defaults``
551 ``defaults``
552 ------------
552 ------------
553
553
554 (defaults are deprecated. Don't use them. Use aliases instead.)
554 (defaults are deprecated. Don't use them. Use aliases instead.)
555
555
556 Use the ``[defaults]`` section to define command defaults, i.e. the
556 Use the ``[defaults]`` section to define command defaults, i.e. the
557 default options/arguments to pass to the specified commands.
557 default options/arguments to pass to the specified commands.
558
558
559 The following example makes :hg:`log` run in verbose mode, and
559 The following example makes :hg:`log` run in verbose mode, and
560 :hg:`status` show only the modified files, by default::
560 :hg:`status` show only the modified files, by default::
561
561
562 [defaults]
562 [defaults]
563 log = -v
563 log = -v
564 status = -m
564 status = -m
565
565
566 The actual commands, instead of their aliases, must be used when
566 The actual commands, instead of their aliases, must be used when
567 defining command defaults. The command defaults will also be applied
567 defining command defaults. The command defaults will also be applied
568 to the aliases of the commands defined.
568 to the aliases of the commands defined.
569
569
570
570
571 ``diff``
571 ``diff``
572 --------
572 --------
573
573
574 Settings used when displaying diffs. Everything except for ``unified``
574 Settings used when displaying diffs. Everything except for ``unified``
575 is a Boolean and defaults to False. See :hg:`help config.annotate`
575 is a Boolean and defaults to False. See :hg:`help config.annotate`
576 for related options for the annotate command.
576 for related options for the annotate command.
577
577
578 ``git``
578 ``git``
579 Use git extended diff format.
579 Use git extended diff format.
580
580
581 ``nobinary``
581 ``nobinary``
582 Omit git binary patches.
582 Omit git binary patches.
583
583
584 ``nodates``
584 ``nodates``
585 Don't include dates in diff headers.
585 Don't include dates in diff headers.
586
586
587 ``noprefix``
587 ``noprefix``
588 Omit 'a/' and 'b/' prefixes from filenames. Ignored in plain mode.
588 Omit 'a/' and 'b/' prefixes from filenames. Ignored in plain mode.
589
589
590 ``showfunc``
590 ``showfunc``
591 Show which function each change is in.
591 Show which function each change is in.
592
592
593 ``ignorews``
593 ``ignorews``
594 Ignore white space when comparing lines.
594 Ignore white space when comparing lines.
595
595
596 ``ignorewsamount``
596 ``ignorewsamount``
597 Ignore changes in the amount of white space.
597 Ignore changes in the amount of white space.
598
598
599 ``ignoreblanklines``
599 ``ignoreblanklines``
600 Ignore changes whose lines are all blank.
600 Ignore changes whose lines are all blank.
601
601
602 ``unified``
602 ``unified``
603 Number of lines of context to show.
603 Number of lines of context to show.
604
604
605 ``email``
605 ``email``
606 ---------
606 ---------
607
607
608 Settings for extensions that send email messages.
608 Settings for extensions that send email messages.
609
609
610 ``from``
610 ``from``
611 Optional. Email address to use in "From" header and SMTP envelope
611 Optional. Email address to use in "From" header and SMTP envelope
612 of outgoing messages.
612 of outgoing messages.
613
613
614 ``to``
614 ``to``
615 Optional. Comma-separated list of recipients' email addresses.
615 Optional. Comma-separated list of recipients' email addresses.
616
616
617 ``cc``
617 ``cc``
618 Optional. Comma-separated list of carbon copy recipients'
618 Optional. Comma-separated list of carbon copy recipients'
619 email addresses.
619 email addresses.
620
620
621 ``bcc``
621 ``bcc``
622 Optional. Comma-separated list of blind carbon copy recipients'
622 Optional. Comma-separated list of blind carbon copy recipients'
623 email addresses.
623 email addresses.
624
624
625 ``method``
625 ``method``
626 Optional. Method to use to send email messages. If value is ``smtp``
626 Optional. Method to use to send email messages. If value is ``smtp``
627 (default), use SMTP (see the ``[smtp]`` section for configuration).
627 (default), use SMTP (see the ``[smtp]`` section for configuration).
628 Otherwise, use as name of program to run that acts like sendmail
628 Otherwise, use as name of program to run that acts like sendmail
629 (takes ``-f`` option for sender, list of recipients on command line,
629 (takes ``-f`` option for sender, list of recipients on command line,
630 message on stdin). Normally, setting this to ``sendmail`` or
630 message on stdin). Normally, setting this to ``sendmail`` or
631 ``/usr/sbin/sendmail`` is enough to use sendmail to send messages.
631 ``/usr/sbin/sendmail`` is enough to use sendmail to send messages.
632
632
633 ``charsets``
633 ``charsets``
634 Optional. Comma-separated list of character sets considered
634 Optional. Comma-separated list of character sets considered
635 convenient for recipients. Addresses, headers, and parts not
635 convenient for recipients. Addresses, headers, and parts not
636 containing patches of outgoing messages will be encoded in the
636 containing patches of outgoing messages will be encoded in the
637 first character set to which conversion from local encoding
637 first character set to which conversion from local encoding
638 (``$HGENCODING``, ``ui.fallbackencoding``) succeeds. If correct
638 (``$HGENCODING``, ``ui.fallbackencoding``) succeeds. If correct
639 conversion fails, the text in question is sent as is.
639 conversion fails, the text in question is sent as is.
640 (default: '')
640 (default: '')
641
641
642 Order of outgoing email character sets:
642 Order of outgoing email character sets:
643
643
644 1. ``us-ascii``: always first, regardless of settings
644 1. ``us-ascii``: always first, regardless of settings
645 2. ``email.charsets``: in order given by user
645 2. ``email.charsets``: in order given by user
646 3. ``ui.fallbackencoding``: if not in email.charsets
646 3. ``ui.fallbackencoding``: if not in email.charsets
647 4. ``$HGENCODING``: if not in email.charsets
647 4. ``$HGENCODING``: if not in email.charsets
648 5. ``utf-8``: always last, regardless of settings
648 5. ``utf-8``: always last, regardless of settings
649
649
650 Email example::
650 Email example::
651
651
652 [email]
652 [email]
653 from = Joseph User <joe.user@example.com>
653 from = Joseph User <joe.user@example.com>
654 method = /usr/sbin/sendmail
654 method = /usr/sbin/sendmail
655 # charsets for western Europeans
655 # charsets for western Europeans
656 # us-ascii, utf-8 omitted, as they are tried first and last
656 # us-ascii, utf-8 omitted, as they are tried first and last
657 charsets = iso-8859-1, iso-8859-15, windows-1252
657 charsets = iso-8859-1, iso-8859-15, windows-1252
658
658
659
659
660 ``extensions``
660 ``extensions``
661 --------------
661 --------------
662
662
663 Mercurial has an extension mechanism for adding new features. To
663 Mercurial has an extension mechanism for adding new features. To
664 enable an extension, create an entry for it in this section.
664 enable an extension, create an entry for it in this section.
665
665
666 If you know that the extension is already in Python's search path,
666 If you know that the extension is already in Python's search path,
667 you can give the name of the module, followed by ``=``, with nothing
667 you can give the name of the module, followed by ``=``, with nothing
668 after the ``=``.
668 after the ``=``.
669
669
670 Otherwise, give a name that you choose, followed by ``=``, followed by
670 Otherwise, give a name that you choose, followed by ``=``, followed by
671 the path to the ``.py`` file (including the file name extension) that
671 the path to the ``.py`` file (including the file name extension) that
672 defines the extension.
672 defines the extension.
673
673
674 To explicitly disable an extension that is enabled in an hgrc of
674 To explicitly disable an extension that is enabled in an hgrc of
675 broader scope, prepend its path with ``!``, as in ``foo = !/ext/path``
675 broader scope, prepend its path with ``!``, as in ``foo = !/ext/path``
676 or ``foo = !`` when path is not supplied.
676 or ``foo = !`` when path is not supplied.
677
677
678 Example for ``~/.hgrc``::
678 Example for ``~/.hgrc``::
679
679
680 [extensions]
680 [extensions]
681 # (the color extension will get loaded from Mercurial's path)
681 # (the color extension will get loaded from Mercurial's path)
682 color =
682 color =
683 # (this extension will get loaded from the file specified)
683 # (this extension will get loaded from the file specified)
684 myfeature = ~/.hgext/myfeature.py
684 myfeature = ~/.hgext/myfeature.py
685
685
686
686
687 ``format``
687 ``format``
688 ----------
688 ----------
689
689
690 ``usegeneraldelta``
690 ``usegeneraldelta``
691 Enable or disable the "generaldelta" repository format which improves
691 Enable or disable the "generaldelta" repository format which improves
692 repository compression by allowing "revlog" to store delta against arbitrary
692 repository compression by allowing "revlog" to store delta against arbitrary
693 revision instead of the previous stored one. This provides significant
693 revision instead of the previous stored one. This provides significant
694 improvement for repositories with branches.
694 improvement for repositories with branches.
695
695
696 Repositories with this on-disk format require Mercurial version 1.9.
696 Repositories with this on-disk format require Mercurial version 1.9.
697
697
698 Enabled by default.
698 Enabled by default.
699
699
700 ``dotencode``
700 ``dotencode``
701 Enable or disable the "dotencode" repository format which enhances
701 Enable or disable the "dotencode" repository format which enhances
702 the "fncache" repository format (which has to be enabled to use
702 the "fncache" repository format (which has to be enabled to use
703 dotencode) to avoid issues with filenames starting with ._ on
703 dotencode) to avoid issues with filenames starting with ._ on
704 Mac OS X and spaces on Windows.
704 Mac OS X and spaces on Windows.
705
705
706 Repositories with this on-disk format require Mercurial version 1.7.
706 Repositories with this on-disk format require Mercurial version 1.7.
707
707
708 Enabled by default.
708 Enabled by default.
709
709
710 ``usefncache``
710 ``usefncache``
711 Enable or disable the "fncache" repository format which enhances
711 Enable or disable the "fncache" repository format which enhances
712 the "store" repository format (which has to be enabled to use
712 the "store" repository format (which has to be enabled to use
713 fncache) to allow longer filenames and avoids using Windows
713 fncache) to allow longer filenames and avoids using Windows
714 reserved names, e.g. "nul".
714 reserved names, e.g. "nul".
715
715
716 Repositories with this on-disk format require Mercurial version 1.1.
716 Repositories with this on-disk format require Mercurial version 1.1.
717
717
718 Enabled by default.
718 Enabled by default.
719
719
720 ``usestore``
720 ``usestore``
721 Enable or disable the "store" repository format which improves
721 Enable or disable the "store" repository format which improves
722 compatibility with systems that fold case or otherwise mangle
722 compatibility with systems that fold case or otherwise mangle
723 filenames. Disabling this option will allow you to store longer filenames
723 filenames. Disabling this option will allow you to store longer filenames
724 in some situations at the expense of compatibility.
724 in some situations at the expense of compatibility.
725
725
726 Repositories with this on-disk format require Mercurial version 0.9.4.
726 Repositories with this on-disk format require Mercurial version 0.9.4.
727
727
728 Enabled by default.
728 Enabled by default.
729
729
730 ``graph``
730 ``graph``
731 ---------
731 ---------
732
732
733 Web graph view configuration. This section let you change graph
733 Web graph view configuration. This section let you change graph
734 elements display properties by branches, for instance to make the
734 elements display properties by branches, for instance to make the
735 ``default`` branch stand out.
735 ``default`` branch stand out.
736
736
737 Each line has the following format::
737 Each line has the following format::
738
738
739 <branch>.<argument> = <value>
739 <branch>.<argument> = <value>
740
740
741 where ``<branch>`` is the name of the branch being
741 where ``<branch>`` is the name of the branch being
742 customized. Example::
742 customized. Example::
743
743
744 [graph]
744 [graph]
745 # 2px width
745 # 2px width
746 default.width = 2
746 default.width = 2
747 # red color
747 # red color
748 default.color = FF0000
748 default.color = FF0000
749
749
750 Supported arguments:
750 Supported arguments:
751
751
752 ``width``
752 ``width``
753 Set branch edges width in pixels.
753 Set branch edges width in pixels.
754
754
755 ``color``
755 ``color``
756 Set branch edges color in hexadecimal RGB notation.
756 Set branch edges color in hexadecimal RGB notation.
757
757
758 ``hooks``
758 ``hooks``
759 ---------
759 ---------
760
760
761 Commands or Python functions that get automatically executed by
761 Commands or Python functions that get automatically executed by
762 various actions such as starting or finishing a commit. Multiple
762 various actions such as starting or finishing a commit. Multiple
763 hooks can be run for the same action by appending a suffix to the
763 hooks can be run for the same action by appending a suffix to the
764 action. Overriding a site-wide hook can be done by changing its
764 action. Overriding a site-wide hook can be done by changing its
765 value or setting it to an empty string. Hooks can be prioritized
765 value or setting it to an empty string. Hooks can be prioritized
766 by adding a prefix of ``priority.`` to the hook name on a new line
766 by adding a prefix of ``priority.`` to the hook name on a new line
767 and setting the priority. The default priority is 0.
767 and setting the priority. The default priority is 0.
768
768
769 Example ``.hg/hgrc``::
769 Example ``.hg/hgrc``::
770
770
771 [hooks]
771 [hooks]
772 # update working directory after adding changesets
772 # update working directory after adding changesets
773 changegroup.update = hg update
773 changegroup.update = hg update
774 # do not use the site-wide hook
774 # do not use the site-wide hook
775 incoming =
775 incoming =
776 incoming.email = /my/email/hook
776 incoming.email = /my/email/hook
777 incoming.autobuild = /my/build/hook
777 incoming.autobuild = /my/build/hook
778 # force autobuild hook to run before other incoming hooks
778 # force autobuild hook to run before other incoming hooks
779 priority.incoming.autobuild = 1
779 priority.incoming.autobuild = 1
780
780
781 Most hooks are run with environment variables set that give useful
781 Most hooks are run with environment variables set that give useful
782 additional information. For each hook below, the environment
782 additional information. For each hook below, the environment
783 variables it is passed are listed with names of the form ``$HG_foo``.
783 variables it is passed are listed with names of the form ``$HG_foo``.
784
784
785 ``changegroup``
785 ``changegroup``
786 Run after a changegroup has been added via push, pull or unbundle. ID of the
786 Run after a changegroup has been added via push, pull or unbundle. ID of the
787 first new changeset is in ``$HG_NODE`` and last in ``$HG_NODE_LAST``. URL
787 first new changeset is in ``$HG_NODE`` and last in ``$HG_NODE_LAST``. URL
788 from which changes came is in ``$HG_URL``.
788 from which changes came is in ``$HG_URL``.
789
789
790 ``commit``
790 ``commit``
791 Run after a changeset has been created in the local repository. ID
791 Run after a changeset has been created in the local repository. ID
792 of the newly created changeset is in ``$HG_NODE``. Parent changeset
792 of the newly created changeset is in ``$HG_NODE``. Parent changeset
793 IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
793 IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
794
794
795 ``incoming``
795 ``incoming``
796 Run after a changeset has been pulled, pushed, or unbundled into
796 Run after a changeset has been pulled, pushed, or unbundled into
797 the local repository. The ID of the newly arrived changeset is in
797 the local repository. The ID of the newly arrived changeset is in
798 ``$HG_NODE``. URL that was source of changes came is in ``$HG_URL``.
798 ``$HG_NODE``. URL that was source of changes came is in ``$HG_URL``.
799
799
800 ``outgoing``
800 ``outgoing``
801 Run after sending changes from local repository to another. ID of
801 Run after sending changes from local repository to another. ID of
802 first changeset sent is in ``$HG_NODE``. Source of operation is in
802 first changeset sent is in ``$HG_NODE``. Source of operation is in
803 ``$HG_SOURCE``; Also see :hg:`help config.hooks.preoutgoing` hook.
803 ``$HG_SOURCE``; Also see :hg:`help config.hooks.preoutgoing` hook.
804
804
805 ``post-<command>``
805 ``post-<command>``
806 Run after successful invocations of the associated command. The
806 Run after successful invocations of the associated command. The
807 contents of the command line are passed as ``$HG_ARGS`` and the result
807 contents of the command line are passed as ``$HG_ARGS`` and the result
808 code in ``$HG_RESULT``. Parsed command line arguments are passed as
808 code in ``$HG_RESULT``. Parsed command line arguments are passed as
809 ``$HG_PATS`` and ``$HG_OPTS``. These contain string representations of
809 ``$HG_PATS`` and ``$HG_OPTS``. These contain string representations of
810 the python data internally passed to <command>. ``$HG_OPTS`` is a
810 the python data internally passed to <command>. ``$HG_OPTS`` is a
811 dictionary of options (with unspecified options set to their defaults).
811 dictionary of options (with unspecified options set to their defaults).
812 ``$HG_PATS`` is a list of arguments. Hook failure is ignored.
812 ``$HG_PATS`` is a list of arguments. Hook failure is ignored.
813
813
814 ``fail-<command>``
814 ``fail-<command>``
815 Run after a failed invocation of an associated command. The contents
815 Run after a failed invocation of an associated command. The contents
816 of the command line are passed as ``$HG_ARGS``. Parsed command line
816 of the command line are passed as ``$HG_ARGS``. Parsed command line
817 arguments are passed as ``$HG_PATS`` and ``$HG_OPTS``. These contain
817 arguments are passed as ``$HG_PATS`` and ``$HG_OPTS``. These contain
818 string representations of the python data internally passed to
818 string representations of the python data internally passed to
819 <command>. ``$HG_OPTS`` is a dictionary of options (with unspecified
819 <command>. ``$HG_OPTS`` is a dictionary of options (with unspecified
820 options set to their defaults). ``$HG_PATS`` is a list of arguments.
820 options set to their defaults). ``$HG_PATS`` is a list of arguments.
821 Hook failure is ignored.
821 Hook failure is ignored.
822
822
823 ``pre-<command>``
823 ``pre-<command>``
824 Run before executing the associated command. The contents of the
824 Run before executing the associated command. The contents of the
825 command line are passed as ``$HG_ARGS``. Parsed command line arguments
825 command line are passed as ``$HG_ARGS``. Parsed command line arguments
826 are passed as ``$HG_PATS`` and ``$HG_OPTS``. These contain string
826 are passed as ``$HG_PATS`` and ``$HG_OPTS``. These contain string
827 representations of the data internally passed to <command>. ``$HG_OPTS``
827 representations of the data internally passed to <command>. ``$HG_OPTS``
828 is a dictionary of options (with unspecified options set to their
828 is a dictionary of options (with unspecified options set to their
829 defaults). ``$HG_PATS`` is a list of arguments. If the hook returns
829 defaults). ``$HG_PATS`` is a list of arguments. If the hook returns
830 failure, the command doesn't execute and Mercurial returns the failure
830 failure, the command doesn't execute and Mercurial returns the failure
831 code.
831 code.
832
832
833 ``prechangegroup``
833 ``prechangegroup``
834 Run before a changegroup is added via push, pull or unbundle. Exit
834 Run before a changegroup is added via push, pull or unbundle. Exit
835 status 0 allows the changegroup to proceed. Non-zero status will
835 status 0 allows the changegroup to proceed. Non-zero status will
836 cause the push, pull or unbundle to fail. URL from which changes
836 cause the push, pull or unbundle to fail. URL from which changes
837 will come is in ``$HG_URL``.
837 will come is in ``$HG_URL``.
838
838
839 ``precommit``
839 ``precommit``
840 Run before starting a local commit. Exit status 0 allows the
840 Run before starting a local commit. Exit status 0 allows the
841 commit to proceed. Non-zero status will cause the commit to fail.
841 commit to proceed. Non-zero status will cause the commit to fail.
842 Parent changeset IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
842 Parent changeset IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
843
843
844 ``prelistkeys``
844 ``prelistkeys``
845 Run before listing pushkeys (like bookmarks) in the
845 Run before listing pushkeys (like bookmarks) in the
846 repository. Non-zero status will cause failure. The key namespace is
846 repository. Non-zero status will cause failure. The key namespace is
847 in ``$HG_NAMESPACE``.
847 in ``$HG_NAMESPACE``.
848
848
849 ``preoutgoing``
849 ``preoutgoing``
850 Run before collecting changes to send from the local repository to
850 Run before collecting changes to send from the local repository to
851 another. Non-zero status will cause failure. This lets you prevent
851 another. Non-zero status will cause failure. This lets you prevent
852 pull over HTTP or SSH. Also prevents against local pull, push
852 pull over HTTP or SSH. Also prevents against local pull, push
853 (outbound) or bundle commands, but not effective, since you can
853 (outbound) or bundle commands, but not effective, since you can
854 just copy files instead then. Source of operation is in
854 just copy files instead then. Source of operation is in
855 ``$HG_SOURCE``. If "serve", operation is happening on behalf of remote
855 ``$HG_SOURCE``. If "serve", operation is happening on behalf of remote
856 SSH or HTTP repository. If "push", "pull" or "bundle", operation
856 SSH or HTTP repository. If "push", "pull" or "bundle", operation
857 is happening on behalf of repository on same system.
857 is happening on behalf of repository on same system.
858
858
859 ``prepushkey``
859 ``prepushkey``
860 Run before a pushkey (like a bookmark) is added to the
860 Run before a pushkey (like a bookmark) is added to the
861 repository. Non-zero status will cause the key to be rejected. The
861 repository. Non-zero status will cause the key to be rejected. The
862 key namespace is in ``$HG_NAMESPACE``, the key is in ``$HG_KEY``,
862 key namespace is in ``$HG_NAMESPACE``, the key is in ``$HG_KEY``,
863 the old value (if any) is in ``$HG_OLD``, and the new value is in
863 the old value (if any) is in ``$HG_OLD``, and the new value is in
864 ``$HG_NEW``.
864 ``$HG_NEW``.
865
865
866 ``pretag``
866 ``pretag``
867 Run before creating a tag. Exit status 0 allows the tag to be
867 Run before creating a tag. Exit status 0 allows the tag to be
868 created. Non-zero status will cause the tag to fail. ID of
868 created. Non-zero status will cause the tag to fail. ID of
869 changeset to tag is in ``$HG_NODE``. Name of tag is in ``$HG_TAG``. Tag is
869 changeset to tag is in ``$HG_NODE``. Name of tag is in ``$HG_TAG``. Tag is
870 local if ``$HG_LOCAL=1``, in repository if ``$HG_LOCAL=0``.
870 local if ``$HG_LOCAL=1``, in repository if ``$HG_LOCAL=0``.
871
871
872 ``pretxnopen``
872 ``pretxnopen``
873 Run before any new repository transaction is open. The reason for the
873 Run before any new repository transaction is open. The reason for the
874 transaction will be in ``$HG_TXNNAME`` and a unique identifier for the
874 transaction will be in ``$HG_TXNNAME`` and a unique identifier for the
875 transaction will be in ``HG_TXNID``. A non-zero status will prevent the
875 transaction will be in ``HG_TXNID``. A non-zero status will prevent the
876 transaction from being opened.
876 transaction from being opened.
877
877
878 ``pretxnclose``
878 ``pretxnclose``
879 Run right before the transaction is actually finalized. Any repository change
879 Run right before the transaction is actually finalized. Any repository change
880 will be visible to the hook program. This lets you validate the transaction
880 will be visible to the hook program. This lets you validate the transaction
881 content or change it. Exit status 0 allows the commit to proceed. Non-zero
881 content or change it. Exit status 0 allows the commit to proceed. Non-zero
882 status will cause the transaction to be rolled back. The reason for the
882 status will cause the transaction to be rolled back. The reason for the
883 transaction opening will be in ``$HG_TXNNAME`` and a unique identifier for
883 transaction opening will be in ``$HG_TXNNAME`` and a unique identifier for
884 the transaction will be in ``HG_TXNID``. The rest of the available data will
884 the transaction will be in ``HG_TXNID``. The rest of the available data will
885 vary according the transaction type. New changesets will add ``$HG_NODE`` (id
885 vary according the transaction type. New changesets will add ``$HG_NODE`` (id
886 of the first added changeset), ``$HG_NODE_LAST`` (id of the last added
886 of the first added changeset), ``$HG_NODE_LAST`` (id of the last added
887 changeset), ``$HG_URL`` and ``$HG_SOURCE`` variables, bookmarks and phases
887 changeset), ``$HG_URL`` and ``$HG_SOURCE`` variables, bookmarks and phases
888 changes will set ``HG_BOOKMARK_MOVED`` and ``HG_PHASES_MOVED`` to ``1``, etc.
888 changes will set ``HG_BOOKMARK_MOVED`` and ``HG_PHASES_MOVED`` to ``1``, etc.
889
889
890 ``txnclose``
890 ``txnclose``
891 Run after any repository transaction has been committed. At this
891 Run after any repository transaction has been committed. At this
892 point, the transaction can no longer be rolled back. The hook will run
892 point, the transaction can no longer be rolled back. The hook will run
893 after the lock is released. See :hg:`help config.hooks.pretxnclose` docs for
893 after the lock is released. See :hg:`help config.hooks.pretxnclose` docs for
894 details about available variables.
894 details about available variables.
895
895
896 ``txnabort``
896 ``txnabort``
897 Run when a transaction is aborted. See :hg:`help config.hooks.pretxnclose`
897 Run when a transaction is aborted. See :hg:`help config.hooks.pretxnclose`
898 docs for details about available variables.
898 docs for details about available variables.
899
899
900 ``pretxnchangegroup``
900 ``pretxnchangegroup``
901 Run after a changegroup has been added via push, pull or unbundle, but before
901 Run after a changegroup has been added via push, pull or unbundle, but before
902 the transaction has been committed. Changegroup is visible to hook program.
902 the transaction has been committed. Changegroup is visible to hook program.
903 This lets you validate incoming changes before accepting them. Passed the ID
903 This lets you validate incoming changes before accepting them. Passed the ID
904 of the first new changeset in ``$HG_NODE`` and last in ``$HG_NODE_LAST``.
904 of the first new changeset in ``$HG_NODE`` and last in ``$HG_NODE_LAST``.
905 Exit status 0 allows the transaction to commit. Non-zero status will cause
905 Exit status 0 allows the transaction to commit. Non-zero status will cause
906 the transaction to be rolled back and the push, pull or unbundle will fail.
906 the transaction to be rolled back and the push, pull or unbundle will fail.
907 URL that was source of changes is in ``$HG_URL``.
907 URL that was source of changes is in ``$HG_URL``.
908
908
909 ``pretxncommit``
909 ``pretxncommit``
910 Run after a changeset has been created but the transaction not yet
910 Run after a changeset has been created but the transaction not yet
911 committed. Changeset is visible to hook program. This lets you
911 committed. Changeset is visible to hook program. This lets you
912 validate commit message and changes. Exit status 0 allows the
912 validate commit message and changes. Exit status 0 allows the
913 commit to proceed. Non-zero status will cause the transaction to
913 commit to proceed. Non-zero status will cause the transaction to
914 be rolled back. ID of changeset is in ``$HG_NODE``. Parent changeset
914 be rolled back. ID of changeset is in ``$HG_NODE``. Parent changeset
915 IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
915 IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
916
916
917 ``preupdate``
917 ``preupdate``
918 Run before updating the working directory. Exit status 0 allows
918 Run before updating the working directory. Exit status 0 allows
919 the update to proceed. Non-zero status will prevent the update.
919 the update to proceed. Non-zero status will prevent the update.
920 Changeset ID of first new parent is in ``$HG_PARENT1``. If merge, ID
920 Changeset ID of first new parent is in ``$HG_PARENT1``. If merge, ID
921 of second new parent is in ``$HG_PARENT2``.
921 of second new parent is in ``$HG_PARENT2``.
922
922
923 ``listkeys``
923 ``listkeys``
924 Run after listing pushkeys (like bookmarks) in the repository. The
924 Run after listing pushkeys (like bookmarks) in the repository. The
925 key namespace is in ``$HG_NAMESPACE``. ``$HG_VALUES`` is a
925 key namespace is in ``$HG_NAMESPACE``. ``$HG_VALUES`` is a
926 dictionary containing the keys and values.
926 dictionary containing the keys and values.
927
927
928 ``pushkey``
928 ``pushkey``
929 Run after a pushkey (like a bookmark) is added to the
929 Run after a pushkey (like a bookmark) is added to the
930 repository. The key namespace is in ``$HG_NAMESPACE``, the key is in
930 repository. The key namespace is in ``$HG_NAMESPACE``, the key is in
931 ``$HG_KEY``, the old value (if any) is in ``$HG_OLD``, and the new
931 ``$HG_KEY``, the old value (if any) is in ``$HG_OLD``, and the new
932 value is in ``$HG_NEW``.
932 value is in ``$HG_NEW``.
933
933
934 ``tag``
934 ``tag``
935 Run after a tag is created. ID of tagged changeset is in ``$HG_NODE``.
935 Run after a tag is created. ID of tagged changeset is in ``$HG_NODE``.
936 Name of tag is in ``$HG_TAG``. Tag is local if ``$HG_LOCAL=1``, in
936 Name of tag is in ``$HG_TAG``. Tag is local if ``$HG_LOCAL=1``, in
937 repository if ``$HG_LOCAL=0``.
937 repository if ``$HG_LOCAL=0``.
938
938
939 ``update``
939 ``update``
940 Run after updating the working directory. Changeset ID of first
940 Run after updating the working directory. Changeset ID of first
941 new parent is in ``$HG_PARENT1``. If merge, ID of second new parent is
941 new parent is in ``$HG_PARENT1``. If merge, ID of second new parent is
942 in ``$HG_PARENT2``. If the update succeeded, ``$HG_ERROR=0``. If the
942 in ``$HG_PARENT2``. If the update succeeded, ``$HG_ERROR=0``. If the
943 update failed (e.g. because conflicts not resolved), ``$HG_ERROR=1``.
943 update failed (e.g. because conflicts not resolved), ``$HG_ERROR=1``.
944
944
945 .. note::
945 .. note::
946
946
947 It is generally better to use standard hooks rather than the
947 It is generally better to use standard hooks rather than the
948 generic pre- and post- command hooks as they are guaranteed to be
948 generic pre- and post- command hooks as they are guaranteed to be
949 called in the appropriate contexts for influencing transactions.
949 called in the appropriate contexts for influencing transactions.
950 Also, hooks like "commit" will be called in all contexts that
950 Also, hooks like "commit" will be called in all contexts that
951 generate a commit (e.g. tag) and not just the commit command.
951 generate a commit (e.g. tag) and not just the commit command.
952
952
953 .. note::
953 .. note::
954
954
955 Environment variables with empty values may not be passed to
955 Environment variables with empty values may not be passed to
956 hooks on platforms such as Windows. As an example, ``$HG_PARENT2``
956 hooks on platforms such as Windows. As an example, ``$HG_PARENT2``
957 will have an empty value under Unix-like platforms for non-merge
957 will have an empty value under Unix-like platforms for non-merge
958 changesets, while it will not be available at all under Windows.
958 changesets, while it will not be available at all under Windows.
959
959
960 The syntax for Python hooks is as follows::
960 The syntax for Python hooks is as follows::
961
961
962 hookname = python:modulename.submodule.callable
962 hookname = python:modulename.submodule.callable
963 hookname = python:/path/to/python/module.py:callable
963 hookname = python:/path/to/python/module.py:callable
964
964
965 Python hooks are run within the Mercurial process. Each hook is
965 Python hooks are run within the Mercurial process. Each hook is
966 called with at least three keyword arguments: a ui object (keyword
966 called with at least three keyword arguments: a ui object (keyword
967 ``ui``), a repository object (keyword ``repo``), and a ``hooktype``
967 ``ui``), a repository object (keyword ``repo``), and a ``hooktype``
968 keyword that tells what kind of hook is used. Arguments listed as
968 keyword that tells what kind of hook is used. Arguments listed as
969 environment variables above are passed as keyword arguments, with no
969 environment variables above are passed as keyword arguments, with no
970 ``HG_`` prefix, and names in lower case.
970 ``HG_`` prefix, and names in lower case.
971
971
972 If a Python hook returns a "true" value or raises an exception, this
972 If a Python hook returns a "true" value or raises an exception, this
973 is treated as a failure.
973 is treated as a failure.
974
974
975
975
976 ``hostfingerprints``
976 ``hostfingerprints``
977 --------------------
977 --------------------
978
978
979 (Deprecated. Use ``[hostsecurity]``'s ``fingerprints`` options instead.)
980
979 Fingerprints of the certificates of known HTTPS servers.
981 Fingerprints of the certificates of known HTTPS servers.
980
982
981 A HTTPS connection to a server with a fingerprint configured here will
983 A HTTPS connection to a server with a fingerprint configured here will
982 only succeed if the servers certificate matches the fingerprint.
984 only succeed if the servers certificate matches the fingerprint.
983 This is very similar to how ssh known hosts works.
985 This is very similar to how ssh known hosts works.
984
986
985 The fingerprint is the SHA-1 hash value of the DER encoded certificate.
987 The fingerprint is the SHA-1 hash value of the DER encoded certificate.
986 Multiple values can be specified (separated by spaces or commas). This can
988 Multiple values can be specified (separated by spaces or commas). This can
987 be used to define both old and new fingerprints while a host transitions
989 be used to define both old and new fingerprints while a host transitions
988 to a new certificate.
990 to a new certificate.
989
991
990 The CA chain and web.cacerts is not used for servers with a fingerprint.
992 The CA chain and web.cacerts is not used for servers with a fingerprint.
991
993
992 For example::
994 For example::
993
995
994 [hostfingerprints]
996 [hostfingerprints]
995 hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
997 hg.intevation.de = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
996 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
998 hg.intevation.org = fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
997
999
1000 ``hostsecurity``
1001 ----------------
1002
1003 Used to specify per-host security settings.
1004
1005 Options in this section have the form ``hostname``:``setting``. This allows
1006 multiple settings to be defined on a per-host basis.
1007
1008 The following per-host settings can be defined.
1009
1010 ``fingerprints``
1011 A list of hashes of the DER encoded peer/remote certificate. Values have
1012 the form ``algorithm``:``fingerprint``. e.g.
1013 ``sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2``.
1014
1015 The following algorithms/prefixes are supported: ``sha1``, ``sha256``,
1016 ``sha512``.
1017
1018 Use of ``sha256`` or ``sha512`` is preferred.
1019
1020 If a fingerprint is specified, the CA chain is not validated for this
1021 host and Mercurial will require the remote certificate to match one
1022 of the fingerprints specified. This means if the server updates its
1023 certificate, Mercurial will abort until a new fingerprint is defined.
1024 This can provide stronger security than traditional CA-based validation
1025 at the expense of convenience.
1026
1027 For example::
1028
1029 [hostsecurity]
1030 hg.example.com:fingerprints = sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2
1031 hg2.example.com:fingerprints = sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:fc:e2:8d:d9:51:cd:cb:c1:4d:18:6b:b7:44:8d:49:72:57:e6:cd:33
1032
998 ``http_proxy``
1033 ``http_proxy``
999 --------------
1034 --------------
1000
1035
1001 Used to access web-based Mercurial repositories through a HTTP
1036 Used to access web-based Mercurial repositories through a HTTP
1002 proxy.
1037 proxy.
1003
1038
1004 ``host``
1039 ``host``
1005 Host name and (optional) port of the proxy server, for example
1040 Host name and (optional) port of the proxy server, for example
1006 "myproxy:8000".
1041 "myproxy:8000".
1007
1042
1008 ``no``
1043 ``no``
1009 Optional. Comma-separated list of host names that should bypass
1044 Optional. Comma-separated list of host names that should bypass
1010 the proxy.
1045 the proxy.
1011
1046
1012 ``passwd``
1047 ``passwd``
1013 Optional. Password to authenticate with at the proxy server.
1048 Optional. Password to authenticate with at the proxy server.
1014
1049
1015 ``user``
1050 ``user``
1016 Optional. User name to authenticate with at the proxy server.
1051 Optional. User name to authenticate with at the proxy server.
1017
1052
1018 ``always``
1053 ``always``
1019 Optional. Always use the proxy, even for localhost and any entries
1054 Optional. Always use the proxy, even for localhost and any entries
1020 in ``http_proxy.no``. (default: False)
1055 in ``http_proxy.no``. (default: False)
1021
1056
1022 ``merge``
1057 ``merge``
1023 ---------
1058 ---------
1024
1059
1025 This section specifies behavior during merges and updates.
1060 This section specifies behavior during merges and updates.
1026
1061
1027 ``checkignored``
1062 ``checkignored``
1028 Controls behavior when an ignored file on disk has the same name as a tracked
1063 Controls behavior when an ignored file on disk has the same name as a tracked
1029 file in the changeset being merged or updated to, and has different
1064 file in the changeset being merged or updated to, and has different
1030 contents. Options are ``abort``, ``warn`` and ``ignore``. With ``abort``,
1065 contents. Options are ``abort``, ``warn`` and ``ignore``. With ``abort``,
1031 abort on such files. With ``warn``, warn on such files and back them up as
1066 abort on such files. With ``warn``, warn on such files and back them up as
1032 ``.orig``. With ``ignore``, don't print a warning and back them up as
1067 ``.orig``. With ``ignore``, don't print a warning and back them up as
1033 ``.orig``. (default: ``abort``)
1068 ``.orig``. (default: ``abort``)
1034
1069
1035 ``checkunknown``
1070 ``checkunknown``
1036 Controls behavior when an unknown file that isn't ignored has the same name
1071 Controls behavior when an unknown file that isn't ignored has the same name
1037 as a tracked file in the changeset being merged or updated to, and has
1072 as a tracked file in the changeset being merged or updated to, and has
1038 different contents. Similar to ``merge.checkignored``, except for files that
1073 different contents. Similar to ``merge.checkignored``, except for files that
1039 are not ignored. (default: ``abort``)
1074 are not ignored. (default: ``abort``)
1040
1075
1041 ``merge-patterns``
1076 ``merge-patterns``
1042 ------------------
1077 ------------------
1043
1078
1044 This section specifies merge tools to associate with particular file
1079 This section specifies merge tools to associate with particular file
1045 patterns. Tools matched here will take precedence over the default
1080 patterns. Tools matched here will take precedence over the default
1046 merge tool. Patterns are globs by default, rooted at the repository
1081 merge tool. Patterns are globs by default, rooted at the repository
1047 root.
1082 root.
1048
1083
1049 Example::
1084 Example::
1050
1085
1051 [merge-patterns]
1086 [merge-patterns]
1052 **.c = kdiff3
1087 **.c = kdiff3
1053 **.jpg = myimgmerge
1088 **.jpg = myimgmerge
1054
1089
1055 ``merge-tools``
1090 ``merge-tools``
1056 ---------------
1091 ---------------
1057
1092
1058 This section configures external merge tools to use for file-level
1093 This section configures external merge tools to use for file-level
1059 merges. This section has likely been preconfigured at install time.
1094 merges. This section has likely been preconfigured at install time.
1060 Use :hg:`config merge-tools` to check the existing configuration.
1095 Use :hg:`config merge-tools` to check the existing configuration.
1061 Also see :hg:`help merge-tools` for more details.
1096 Also see :hg:`help merge-tools` for more details.
1062
1097
1063 Example ``~/.hgrc``::
1098 Example ``~/.hgrc``::
1064
1099
1065 [merge-tools]
1100 [merge-tools]
1066 # Override stock tool location
1101 # Override stock tool location
1067 kdiff3.executable = ~/bin/kdiff3
1102 kdiff3.executable = ~/bin/kdiff3
1068 # Specify command line
1103 # Specify command line
1069 kdiff3.args = $base $local $other -o $output
1104 kdiff3.args = $base $local $other -o $output
1070 # Give higher priority
1105 # Give higher priority
1071 kdiff3.priority = 1
1106 kdiff3.priority = 1
1072
1107
1073 # Changing the priority of preconfigured tool
1108 # Changing the priority of preconfigured tool
1074 meld.priority = 0
1109 meld.priority = 0
1075
1110
1076 # Disable a preconfigured tool
1111 # Disable a preconfigured tool
1077 vimdiff.disabled = yes
1112 vimdiff.disabled = yes
1078
1113
1079 # Define new tool
1114 # Define new tool
1080 myHtmlTool.args = -m $local $other $base $output
1115 myHtmlTool.args = -m $local $other $base $output
1081 myHtmlTool.regkey = Software\FooSoftware\HtmlMerge
1116 myHtmlTool.regkey = Software\FooSoftware\HtmlMerge
1082 myHtmlTool.priority = 1
1117 myHtmlTool.priority = 1
1083
1118
1084 Supported arguments:
1119 Supported arguments:
1085
1120
1086 ``priority``
1121 ``priority``
1087 The priority in which to evaluate this tool.
1122 The priority in which to evaluate this tool.
1088 (default: 0)
1123 (default: 0)
1089
1124
1090 ``executable``
1125 ``executable``
1091 Either just the name of the executable or its pathname.
1126 Either just the name of the executable or its pathname.
1092
1127
1093 .. container:: windows
1128 .. container:: windows
1094
1129
1095 On Windows, the path can use environment variables with ${ProgramFiles}
1130 On Windows, the path can use environment variables with ${ProgramFiles}
1096 syntax.
1131 syntax.
1097
1132
1098 (default: the tool name)
1133 (default: the tool name)
1099
1134
1100 ``args``
1135 ``args``
1101 The arguments to pass to the tool executable. You can refer to the
1136 The arguments to pass to the tool executable. You can refer to the
1102 files being merged as well as the output file through these
1137 files being merged as well as the output file through these
1103 variables: ``$base``, ``$local``, ``$other``, ``$output``. The meaning
1138 variables: ``$base``, ``$local``, ``$other``, ``$output``. The meaning
1104 of ``$local`` and ``$other`` can vary depending on which action is being
1139 of ``$local`` and ``$other`` can vary depending on which action is being
1105 performed. During and update or merge, ``$local`` represents the original
1140 performed. During and update or merge, ``$local`` represents the original
1106 state of the file, while ``$other`` represents the commit you are updating
1141 state of the file, while ``$other`` represents the commit you are updating
1107 to or the commit you are merging with. During a rebase ``$local``
1142 to or the commit you are merging with. During a rebase ``$local``
1108 represents the destination of the rebase, and ``$other`` represents the
1143 represents the destination of the rebase, and ``$other`` represents the
1109 commit being rebased.
1144 commit being rebased.
1110 (default: ``$local $base $other``)
1145 (default: ``$local $base $other``)
1111
1146
1112 ``premerge``
1147 ``premerge``
1113 Attempt to run internal non-interactive 3-way merge tool before
1148 Attempt to run internal non-interactive 3-way merge tool before
1114 launching external tool. Options are ``true``, ``false``, ``keep`` or
1149 launching external tool. Options are ``true``, ``false``, ``keep`` or
1115 ``keep-merge3``. The ``keep`` option will leave markers in the file if the
1150 ``keep-merge3``. The ``keep`` option will leave markers in the file if the
1116 premerge fails. The ``keep-merge3`` will do the same but include information
1151 premerge fails. The ``keep-merge3`` will do the same but include information
1117 about the base of the merge in the marker (see internal :merge3 in
1152 about the base of the merge in the marker (see internal :merge3 in
1118 :hg:`help merge-tools`).
1153 :hg:`help merge-tools`).
1119 (default: True)
1154 (default: True)
1120
1155
1121 ``binary``
1156 ``binary``
1122 This tool can merge binary files. (default: False, unless tool
1157 This tool can merge binary files. (default: False, unless tool
1123 was selected by file pattern match)
1158 was selected by file pattern match)
1124
1159
1125 ``symlink``
1160 ``symlink``
1126 This tool can merge symlinks. (default: False)
1161 This tool can merge symlinks. (default: False)
1127
1162
1128 ``check``
1163 ``check``
1129 A list of merge success-checking options:
1164 A list of merge success-checking options:
1130
1165
1131 ``changed``
1166 ``changed``
1132 Ask whether merge was successful when the merged file shows no changes.
1167 Ask whether merge was successful when the merged file shows no changes.
1133 ``conflicts``
1168 ``conflicts``
1134 Check whether there are conflicts even though the tool reported success.
1169 Check whether there are conflicts even though the tool reported success.
1135 ``prompt``
1170 ``prompt``
1136 Always prompt for merge success, regardless of success reported by tool.
1171 Always prompt for merge success, regardless of success reported by tool.
1137
1172
1138 ``fixeol``
1173 ``fixeol``
1139 Attempt to fix up EOL changes caused by the merge tool.
1174 Attempt to fix up EOL changes caused by the merge tool.
1140 (default: False)
1175 (default: False)
1141
1176
1142 ``gui``
1177 ``gui``
1143 This tool requires a graphical interface to run. (default: False)
1178 This tool requires a graphical interface to run. (default: False)
1144
1179
1145 .. container:: windows
1180 .. container:: windows
1146
1181
1147 ``regkey``
1182 ``regkey``
1148 Windows registry key which describes install location of this
1183 Windows registry key which describes install location of this
1149 tool. Mercurial will search for this key first under
1184 tool. Mercurial will search for this key first under
1150 ``HKEY_CURRENT_USER`` and then under ``HKEY_LOCAL_MACHINE``.
1185 ``HKEY_CURRENT_USER`` and then under ``HKEY_LOCAL_MACHINE``.
1151 (default: None)
1186 (default: None)
1152
1187
1153 ``regkeyalt``
1188 ``regkeyalt``
1154 An alternate Windows registry key to try if the first key is not
1189 An alternate Windows registry key to try if the first key is not
1155 found. The alternate key uses the same ``regname`` and ``regappend``
1190 found. The alternate key uses the same ``regname`` and ``regappend``
1156 semantics of the primary key. The most common use for this key
1191 semantics of the primary key. The most common use for this key
1157 is to search for 32bit applications on 64bit operating systems.
1192 is to search for 32bit applications on 64bit operating systems.
1158 (default: None)
1193 (default: None)
1159
1194
1160 ``regname``
1195 ``regname``
1161 Name of value to read from specified registry key.
1196 Name of value to read from specified registry key.
1162 (default: the unnamed (default) value)
1197 (default: the unnamed (default) value)
1163
1198
1164 ``regappend``
1199 ``regappend``
1165 String to append to the value read from the registry, typically
1200 String to append to the value read from the registry, typically
1166 the executable name of the tool.
1201 the executable name of the tool.
1167 (default: None)
1202 (default: None)
1168
1203
1169
1204
1170 ``patch``
1205 ``patch``
1171 ---------
1206 ---------
1172
1207
1173 Settings used when applying patches, for instance through the 'import'
1208 Settings used when applying patches, for instance through the 'import'
1174 command or with Mercurial Queues extension.
1209 command or with Mercurial Queues extension.
1175
1210
1176 ``eol``
1211 ``eol``
1177 When set to 'strict' patch content and patched files end of lines
1212 When set to 'strict' patch content and patched files end of lines
1178 are preserved. When set to ``lf`` or ``crlf``, both files end of
1213 are preserved. When set to ``lf`` or ``crlf``, both files end of
1179 lines are ignored when patching and the result line endings are
1214 lines are ignored when patching and the result line endings are
1180 normalized to either LF (Unix) or CRLF (Windows). When set to
1215 normalized to either LF (Unix) or CRLF (Windows). When set to
1181 ``auto``, end of lines are again ignored while patching but line
1216 ``auto``, end of lines are again ignored while patching but line
1182 endings in patched files are normalized to their original setting
1217 endings in patched files are normalized to their original setting
1183 on a per-file basis. If target file does not exist or has no end
1218 on a per-file basis. If target file does not exist or has no end
1184 of line, patch line endings are preserved.
1219 of line, patch line endings are preserved.
1185 (default: strict)
1220 (default: strict)
1186
1221
1187 ``fuzz``
1222 ``fuzz``
1188 The number of lines of 'fuzz' to allow when applying patches. This
1223 The number of lines of 'fuzz' to allow when applying patches. This
1189 controls how much context the patcher is allowed to ignore when
1224 controls how much context the patcher is allowed to ignore when
1190 trying to apply a patch.
1225 trying to apply a patch.
1191 (default: 2)
1226 (default: 2)
1192
1227
1193 ``paths``
1228 ``paths``
1194 ---------
1229 ---------
1195
1230
1196 Assigns symbolic names and behavior to repositories.
1231 Assigns symbolic names and behavior to repositories.
1197
1232
1198 Options are symbolic names defining the URL or directory that is the
1233 Options are symbolic names defining the URL or directory that is the
1199 location of the repository. Example::
1234 location of the repository. Example::
1200
1235
1201 [paths]
1236 [paths]
1202 my_server = https://example.com/my_repo
1237 my_server = https://example.com/my_repo
1203 local_path = /home/me/repo
1238 local_path = /home/me/repo
1204
1239
1205 These symbolic names can be used from the command line. To pull
1240 These symbolic names can be used from the command line. To pull
1206 from ``my_server``: :hg:`pull my_server`. To push to ``local_path``:
1241 from ``my_server``: :hg:`pull my_server`. To push to ``local_path``:
1207 :hg:`push local_path`.
1242 :hg:`push local_path`.
1208
1243
1209 Options containing colons (``:``) denote sub-options that can influence
1244 Options containing colons (``:``) denote sub-options that can influence
1210 behavior for that specific path. Example::
1245 behavior for that specific path. Example::
1211
1246
1212 [paths]
1247 [paths]
1213 my_server = https://example.com/my_path
1248 my_server = https://example.com/my_path
1214 my_server:pushurl = ssh://example.com/my_path
1249 my_server:pushurl = ssh://example.com/my_path
1215
1250
1216 The following sub-options can be defined:
1251 The following sub-options can be defined:
1217
1252
1218 ``pushurl``
1253 ``pushurl``
1219 The URL to use for push operations. If not defined, the location
1254 The URL to use for push operations. If not defined, the location
1220 defined by the path's main entry is used.
1255 defined by the path's main entry is used.
1221
1256
1222 The following special named paths exist:
1257 The following special named paths exist:
1223
1258
1224 ``default``
1259 ``default``
1225 The URL or directory to use when no source or remote is specified.
1260 The URL or directory to use when no source or remote is specified.
1226
1261
1227 :hg:`clone` will automatically define this path to the location the
1262 :hg:`clone` will automatically define this path to the location the
1228 repository was cloned from.
1263 repository was cloned from.
1229
1264
1230 ``default-push``
1265 ``default-push``
1231 (deprecated) The URL or directory for the default :hg:`push` location.
1266 (deprecated) The URL or directory for the default :hg:`push` location.
1232 ``default:pushurl`` should be used instead.
1267 ``default:pushurl`` should be used instead.
1233
1268
1234 ``phases``
1269 ``phases``
1235 ----------
1270 ----------
1236
1271
1237 Specifies default handling of phases. See :hg:`help phases` for more
1272 Specifies default handling of phases. See :hg:`help phases` for more
1238 information about working with phases.
1273 information about working with phases.
1239
1274
1240 ``publish``
1275 ``publish``
1241 Controls draft phase behavior when working as a server. When true,
1276 Controls draft phase behavior when working as a server. When true,
1242 pushed changesets are set to public in both client and server and
1277 pushed changesets are set to public in both client and server and
1243 pulled or cloned changesets are set to public in the client.
1278 pulled or cloned changesets are set to public in the client.
1244 (default: True)
1279 (default: True)
1245
1280
1246 ``new-commit``
1281 ``new-commit``
1247 Phase of newly-created commits.
1282 Phase of newly-created commits.
1248 (default: draft)
1283 (default: draft)
1249
1284
1250 ``checksubrepos``
1285 ``checksubrepos``
1251 Check the phase of the current revision of each subrepository. Allowed
1286 Check the phase of the current revision of each subrepository. Allowed
1252 values are "ignore", "follow" and "abort". For settings other than
1287 values are "ignore", "follow" and "abort". For settings other than
1253 "ignore", the phase of the current revision of each subrepository is
1288 "ignore", the phase of the current revision of each subrepository is
1254 checked before committing the parent repository. If any of those phases is
1289 checked before committing the parent repository. If any of those phases is
1255 greater than the phase of the parent repository (e.g. if a subrepo is in a
1290 greater than the phase of the parent repository (e.g. if a subrepo is in a
1256 "secret" phase while the parent repo is in "draft" phase), the commit is
1291 "secret" phase while the parent repo is in "draft" phase), the commit is
1257 either aborted (if checksubrepos is set to "abort") or the higher phase is
1292 either aborted (if checksubrepos is set to "abort") or the higher phase is
1258 used for the parent repository commit (if set to "follow").
1293 used for the parent repository commit (if set to "follow").
1259 (default: follow)
1294 (default: follow)
1260
1295
1261
1296
1262 ``profiling``
1297 ``profiling``
1263 -------------
1298 -------------
1264
1299
1265 Specifies profiling type, format, and file output. Two profilers are
1300 Specifies profiling type, format, and file output. Two profilers are
1266 supported: an instrumenting profiler (named ``ls``), and a sampling
1301 supported: an instrumenting profiler (named ``ls``), and a sampling
1267 profiler (named ``stat``).
1302 profiler (named ``stat``).
1268
1303
1269 In this section description, 'profiling data' stands for the raw data
1304 In this section description, 'profiling data' stands for the raw data
1270 collected during profiling, while 'profiling report' stands for a
1305 collected during profiling, while 'profiling report' stands for a
1271 statistical text report generated from the profiling data. The
1306 statistical text report generated from the profiling data. The
1272 profiling is done using lsprof.
1307 profiling is done using lsprof.
1273
1308
1274 ``type``
1309 ``type``
1275 The type of profiler to use.
1310 The type of profiler to use.
1276 (default: ls)
1311 (default: ls)
1277
1312
1278 ``ls``
1313 ``ls``
1279 Use Python's built-in instrumenting profiler. This profiler
1314 Use Python's built-in instrumenting profiler. This profiler
1280 works on all platforms, but each line number it reports is the
1315 works on all platforms, but each line number it reports is the
1281 first line of a function. This restriction makes it difficult to
1316 first line of a function. This restriction makes it difficult to
1282 identify the expensive parts of a non-trivial function.
1317 identify the expensive parts of a non-trivial function.
1283 ``stat``
1318 ``stat``
1284 Use a third-party statistical profiler, statprof. This profiler
1319 Use a third-party statistical profiler, statprof. This profiler
1285 currently runs only on Unix systems, and is most useful for
1320 currently runs only on Unix systems, and is most useful for
1286 profiling commands that run for longer than about 0.1 seconds.
1321 profiling commands that run for longer than about 0.1 seconds.
1287
1322
1288 ``format``
1323 ``format``
1289 Profiling format. Specific to the ``ls`` instrumenting profiler.
1324 Profiling format. Specific to the ``ls`` instrumenting profiler.
1290 (default: text)
1325 (default: text)
1291
1326
1292 ``text``
1327 ``text``
1293 Generate a profiling report. When saving to a file, it should be
1328 Generate a profiling report. When saving to a file, it should be
1294 noted that only the report is saved, and the profiling data is
1329 noted that only the report is saved, and the profiling data is
1295 not kept.
1330 not kept.
1296 ``kcachegrind``
1331 ``kcachegrind``
1297 Format profiling data for kcachegrind use: when saving to a
1332 Format profiling data for kcachegrind use: when saving to a
1298 file, the generated file can directly be loaded into
1333 file, the generated file can directly be loaded into
1299 kcachegrind.
1334 kcachegrind.
1300
1335
1301 ``frequency``
1336 ``frequency``
1302 Sampling frequency. Specific to the ``stat`` sampling profiler.
1337 Sampling frequency. Specific to the ``stat`` sampling profiler.
1303 (default: 1000)
1338 (default: 1000)
1304
1339
1305 ``output``
1340 ``output``
1306 File path where profiling data or report should be saved. If the
1341 File path where profiling data or report should be saved. If the
1307 file exists, it is replaced. (default: None, data is printed on
1342 file exists, it is replaced. (default: None, data is printed on
1308 stderr)
1343 stderr)
1309
1344
1310 ``sort``
1345 ``sort``
1311 Sort field. Specific to the ``ls`` instrumenting profiler.
1346 Sort field. Specific to the ``ls`` instrumenting profiler.
1312 One of ``callcount``, ``reccallcount``, ``totaltime`` and
1347 One of ``callcount``, ``reccallcount``, ``totaltime`` and
1313 ``inlinetime``.
1348 ``inlinetime``.
1314 (default: inlinetime)
1349 (default: inlinetime)
1315
1350
1316 ``limit``
1351 ``limit``
1317 Number of lines to show. Specific to the ``ls`` instrumenting profiler.
1352 Number of lines to show. Specific to the ``ls`` instrumenting profiler.
1318 (default: 30)
1353 (default: 30)
1319
1354
1320 ``nested``
1355 ``nested``
1321 Show at most this number of lines of drill-down info after each main entry.
1356 Show at most this number of lines of drill-down info after each main entry.
1322 This can help explain the difference between Total and Inline.
1357 This can help explain the difference between Total and Inline.
1323 Specific to the ``ls`` instrumenting profiler.
1358 Specific to the ``ls`` instrumenting profiler.
1324 (default: 5)
1359 (default: 5)
1325
1360
1326 ``progress``
1361 ``progress``
1327 ------------
1362 ------------
1328
1363
1329 Mercurial commands can draw progress bars that are as informative as
1364 Mercurial commands can draw progress bars that are as informative as
1330 possible. Some progress bars only offer indeterminate information, while others
1365 possible. Some progress bars only offer indeterminate information, while others
1331 have a definite end point.
1366 have a definite end point.
1332
1367
1333 ``delay``
1368 ``delay``
1334 Number of seconds (float) before showing the progress bar. (default: 3)
1369 Number of seconds (float) before showing the progress bar. (default: 3)
1335
1370
1336 ``changedelay``
1371 ``changedelay``
1337 Minimum delay before showing a new topic. When set to less than 3 * refresh,
1372 Minimum delay before showing a new topic. When set to less than 3 * refresh,
1338 that value will be used instead. (default: 1)
1373 that value will be used instead. (default: 1)
1339
1374
1340 ``refresh``
1375 ``refresh``
1341 Time in seconds between refreshes of the progress bar. (default: 0.1)
1376 Time in seconds between refreshes of the progress bar. (default: 0.1)
1342
1377
1343 ``format``
1378 ``format``
1344 Format of the progress bar.
1379 Format of the progress bar.
1345
1380
1346 Valid entries for the format field are ``topic``, ``bar``, ``number``,
1381 Valid entries for the format field are ``topic``, ``bar``, ``number``,
1347 ``unit``, ``estimate``, ``speed``, and ``item``. ``item`` defaults to the
1382 ``unit``, ``estimate``, ``speed``, and ``item``. ``item`` defaults to the
1348 last 20 characters of the item, but this can be changed by adding either
1383 last 20 characters of the item, but this can be changed by adding either
1349 ``-<num>`` which would take the last num characters, or ``+<num>`` for the
1384 ``-<num>`` which would take the last num characters, or ``+<num>`` for the
1350 first num characters.
1385 first num characters.
1351
1386
1352 (default: topic bar number estimate)
1387 (default: topic bar number estimate)
1353
1388
1354 ``width``
1389 ``width``
1355 If set, the maximum width of the progress information (that is, min(width,
1390 If set, the maximum width of the progress information (that is, min(width,
1356 term width) will be used).
1391 term width) will be used).
1357
1392
1358 ``clear-complete``
1393 ``clear-complete``
1359 Clear the progress bar after it's done. (default: True)
1394 Clear the progress bar after it's done. (default: True)
1360
1395
1361 ``disable``
1396 ``disable``
1362 If true, don't show a progress bar.
1397 If true, don't show a progress bar.
1363
1398
1364 ``assume-tty``
1399 ``assume-tty``
1365 If true, ALWAYS show a progress bar, unless disable is given.
1400 If true, ALWAYS show a progress bar, unless disable is given.
1366
1401
1367 ``rebase``
1402 ``rebase``
1368 ----------
1403 ----------
1369
1404
1370 ``allowdivergence``
1405 ``allowdivergence``
1371 Default to False, when True allow creating divergence when performing
1406 Default to False, when True allow creating divergence when performing
1372 rebase of obsolete changesets.
1407 rebase of obsolete changesets.
1373
1408
1374 ``revsetalias``
1409 ``revsetalias``
1375 ---------------
1410 ---------------
1376
1411
1377 Alias definitions for revsets. See :hg:`help revsets` for details.
1412 Alias definitions for revsets. See :hg:`help revsets` for details.
1378
1413
1379 ``server``
1414 ``server``
1380 ----------
1415 ----------
1381
1416
1382 Controls generic server settings.
1417 Controls generic server settings.
1383
1418
1384 ``uncompressed``
1419 ``uncompressed``
1385 Whether to allow clients to clone a repository using the
1420 Whether to allow clients to clone a repository using the
1386 uncompressed streaming protocol. This transfers about 40% more
1421 uncompressed streaming protocol. This transfers about 40% more
1387 data than a regular clone, but uses less memory and CPU on both
1422 data than a regular clone, but uses less memory and CPU on both
1388 server and client. Over a LAN (100 Mbps or better) or a very fast
1423 server and client. Over a LAN (100 Mbps or better) or a very fast
1389 WAN, an uncompressed streaming clone is a lot faster (~10x) than a
1424 WAN, an uncompressed streaming clone is a lot faster (~10x) than a
1390 regular clone. Over most WAN connections (anything slower than
1425 regular clone. Over most WAN connections (anything slower than
1391 about 6 Mbps), uncompressed streaming is slower, because of the
1426 about 6 Mbps), uncompressed streaming is slower, because of the
1392 extra data transfer overhead. This mode will also temporarily hold
1427 extra data transfer overhead. This mode will also temporarily hold
1393 the write lock while determining what data to transfer.
1428 the write lock while determining what data to transfer.
1394 (default: True)
1429 (default: True)
1395
1430
1396 ``preferuncompressed``
1431 ``preferuncompressed``
1397 When set, clients will try to use the uncompressed streaming
1432 When set, clients will try to use the uncompressed streaming
1398 protocol. (default: False)
1433 protocol. (default: False)
1399
1434
1400 ``validate``
1435 ``validate``
1401 Whether to validate the completeness of pushed changesets by
1436 Whether to validate the completeness of pushed changesets by
1402 checking that all new file revisions specified in manifests are
1437 checking that all new file revisions specified in manifests are
1403 present. (default: False)
1438 present. (default: False)
1404
1439
1405 ``maxhttpheaderlen``
1440 ``maxhttpheaderlen``
1406 Instruct HTTP clients not to send request headers longer than this
1441 Instruct HTTP clients not to send request headers longer than this
1407 many bytes. (default: 1024)
1442 many bytes. (default: 1024)
1408
1443
1409 ``bundle1``
1444 ``bundle1``
1410 Whether to allow clients to push and pull using the legacy bundle1
1445 Whether to allow clients to push and pull using the legacy bundle1
1411 exchange format. (default: True)
1446 exchange format. (default: True)
1412
1447
1413 ``bundle1gd``
1448 ``bundle1gd``
1414 Like ``bundle1`` but only used if the repository is using the
1449 Like ``bundle1`` but only used if the repository is using the
1415 *generaldelta* storage format. (default: True)
1450 *generaldelta* storage format. (default: True)
1416
1451
1417 ``bundle1.push``
1452 ``bundle1.push``
1418 Whether to allow clients to push using the legacy bundle1 exchange
1453 Whether to allow clients to push using the legacy bundle1 exchange
1419 format. (default: True)
1454 format. (default: True)
1420
1455
1421 ``bundle1gd.push``
1456 ``bundle1gd.push``
1422 Like ``bundle1.push`` but only used if the repository is using the
1457 Like ``bundle1.push`` but only used if the repository is using the
1423 *generaldelta* storage format. (default: True)
1458 *generaldelta* storage format. (default: True)
1424
1459
1425 ``bundle1.pull``
1460 ``bundle1.pull``
1426 Whether to allow clients to pull using the legacy bundle1 exchange
1461 Whether to allow clients to pull using the legacy bundle1 exchange
1427 format. (default: True)
1462 format. (default: True)
1428
1463
1429 ``bundle1gd.pull``
1464 ``bundle1gd.pull``
1430 Like ``bundle1.pull`` but only used if the repository is using the
1465 Like ``bundle1.pull`` but only used if the repository is using the
1431 *generaldelta* storage format. (default: True)
1466 *generaldelta* storage format. (default: True)
1432
1467
1433 Large repositories using the *generaldelta* storage format should
1468 Large repositories using the *generaldelta* storage format should
1434 consider setting this option because converting *generaldelta*
1469 consider setting this option because converting *generaldelta*
1435 repositories to the exchange format required by the bundle1 data
1470 repositories to the exchange format required by the bundle1 data
1436 format can consume a lot of CPU.
1471 format can consume a lot of CPU.
1437
1472
1438 ``smtp``
1473 ``smtp``
1439 --------
1474 --------
1440
1475
1441 Configuration for extensions that need to send email messages.
1476 Configuration for extensions that need to send email messages.
1442
1477
1443 ``host``
1478 ``host``
1444 Host name of mail server, e.g. "mail.example.com".
1479 Host name of mail server, e.g. "mail.example.com".
1445
1480
1446 ``port``
1481 ``port``
1447 Optional. Port to connect to on mail server. (default: 465 if
1482 Optional. Port to connect to on mail server. (default: 465 if
1448 ``tls`` is smtps; 25 otherwise)
1483 ``tls`` is smtps; 25 otherwise)
1449
1484
1450 ``tls``
1485 ``tls``
1451 Optional. Method to enable TLS when connecting to mail server: starttls,
1486 Optional. Method to enable TLS when connecting to mail server: starttls,
1452 smtps or none. (default: none)
1487 smtps or none. (default: none)
1453
1488
1454 ``verifycert``
1489 ``verifycert``
1455 Optional. Verification for the certificate of mail server, when
1490 Optional. Verification for the certificate of mail server, when
1456 ``tls`` is starttls or smtps. "strict", "loose" or False. For
1491 ``tls`` is starttls or smtps. "strict", "loose" or False. For
1457 "strict" or "loose", the certificate is verified as same as the
1492 "strict" or "loose", the certificate is verified as same as the
1458 verification for HTTPS connections (see ``[hostfingerprints]`` and
1493 verification for HTTPS connections (see ``[hostfingerprints]`` and
1459 ``[web] cacerts`` also). For "strict", sending email is also
1494 ``[web] cacerts`` also). For "strict", sending email is also
1460 aborted, if there is no configuration for mail server in
1495 aborted, if there is no configuration for mail server in
1461 ``[hostfingerprints]`` and ``[web] cacerts``. --insecure for
1496 ``[hostfingerprints]`` and ``[web] cacerts``. --insecure for
1462 :hg:`email` overwrites this as "loose". (default: strict)
1497 :hg:`email` overwrites this as "loose". (default: strict)
1463
1498
1464 ``username``
1499 ``username``
1465 Optional. User name for authenticating with the SMTP server.
1500 Optional. User name for authenticating with the SMTP server.
1466 (default: None)
1501 (default: None)
1467
1502
1468 ``password``
1503 ``password``
1469 Optional. Password for authenticating with the SMTP server. If not
1504 Optional. Password for authenticating with the SMTP server. If not
1470 specified, interactive sessions will prompt the user for a
1505 specified, interactive sessions will prompt the user for a
1471 password; non-interactive sessions will fail. (default: None)
1506 password; non-interactive sessions will fail. (default: None)
1472
1507
1473 ``local_hostname``
1508 ``local_hostname``
1474 Optional. The hostname that the sender can use to identify
1509 Optional. The hostname that the sender can use to identify
1475 itself to the MTA.
1510 itself to the MTA.
1476
1511
1477
1512
1478 ``subpaths``
1513 ``subpaths``
1479 ------------
1514 ------------
1480
1515
1481 Subrepository source URLs can go stale if a remote server changes name
1516 Subrepository source URLs can go stale if a remote server changes name
1482 or becomes temporarily unavailable. This section lets you define
1517 or becomes temporarily unavailable. This section lets you define
1483 rewrite rules of the form::
1518 rewrite rules of the form::
1484
1519
1485 <pattern> = <replacement>
1520 <pattern> = <replacement>
1486
1521
1487 where ``pattern`` is a regular expression matching a subrepository
1522 where ``pattern`` is a regular expression matching a subrepository
1488 source URL and ``replacement`` is the replacement string used to
1523 source URL and ``replacement`` is the replacement string used to
1489 rewrite it. Groups can be matched in ``pattern`` and referenced in
1524 rewrite it. Groups can be matched in ``pattern`` and referenced in
1490 ``replacements``. For instance::
1525 ``replacements``. For instance::
1491
1526
1492 http://server/(.*)-hg/ = http://hg.server/\1/
1527 http://server/(.*)-hg/ = http://hg.server/\1/
1493
1528
1494 rewrites ``http://server/foo-hg/`` into ``http://hg.server/foo/``.
1529 rewrites ``http://server/foo-hg/`` into ``http://hg.server/foo/``.
1495
1530
1496 Relative subrepository paths are first made absolute, and the
1531 Relative subrepository paths are first made absolute, and the
1497 rewrite rules are then applied on the full (absolute) path. The rules
1532 rewrite rules are then applied on the full (absolute) path. The rules
1498 are applied in definition order.
1533 are applied in definition order.
1499
1534
1500 ``templatealias``
1535 ``templatealias``
1501 -----------------
1536 -----------------
1502
1537
1503 Alias definitions for templates. See :hg:`help templates` for details.
1538 Alias definitions for templates. See :hg:`help templates` for details.
1504
1539
1505 ``trusted``
1540 ``trusted``
1506 -----------
1541 -----------
1507
1542
1508 Mercurial will not use the settings in the
1543 Mercurial will not use the settings in the
1509 ``.hg/hgrc`` file from a repository if it doesn't belong to a trusted
1544 ``.hg/hgrc`` file from a repository if it doesn't belong to a trusted
1510 user or to a trusted group, as various hgrc features allow arbitrary
1545 user or to a trusted group, as various hgrc features allow arbitrary
1511 commands to be run. This issue is often encountered when configuring
1546 commands to be run. This issue is often encountered when configuring
1512 hooks or extensions for shared repositories or servers. However,
1547 hooks or extensions for shared repositories or servers. However,
1513 the web interface will use some safe settings from the ``[web]``
1548 the web interface will use some safe settings from the ``[web]``
1514 section.
1549 section.
1515
1550
1516 This section specifies what users and groups are trusted. The
1551 This section specifies what users and groups are trusted. The
1517 current user is always trusted. To trust everybody, list a user or a
1552 current user is always trusted. To trust everybody, list a user or a
1518 group with name ``*``. These settings must be placed in an
1553 group with name ``*``. These settings must be placed in an
1519 *already-trusted file* to take effect, such as ``$HOME/.hgrc`` of the
1554 *already-trusted file* to take effect, such as ``$HOME/.hgrc`` of the
1520 user or service running Mercurial.
1555 user or service running Mercurial.
1521
1556
1522 ``users``
1557 ``users``
1523 Comma-separated list of trusted users.
1558 Comma-separated list of trusted users.
1524
1559
1525 ``groups``
1560 ``groups``
1526 Comma-separated list of trusted groups.
1561 Comma-separated list of trusted groups.
1527
1562
1528
1563
1529 ``ui``
1564 ``ui``
1530 ------
1565 ------
1531
1566
1532 User interface controls.
1567 User interface controls.
1533
1568
1534 ``archivemeta``
1569 ``archivemeta``
1535 Whether to include the .hg_archival.txt file containing meta data
1570 Whether to include the .hg_archival.txt file containing meta data
1536 (hashes for the repository base and for tip) in archives created
1571 (hashes for the repository base and for tip) in archives created
1537 by the :hg:`archive` command or downloaded via hgweb.
1572 by the :hg:`archive` command or downloaded via hgweb.
1538 (default: True)
1573 (default: True)
1539
1574
1540 ``askusername``
1575 ``askusername``
1541 Whether to prompt for a username when committing. If True, and
1576 Whether to prompt for a username when committing. If True, and
1542 neither ``$HGUSER`` nor ``$EMAIL`` has been specified, then the user will
1577 neither ``$HGUSER`` nor ``$EMAIL`` has been specified, then the user will
1543 be prompted to enter a username. If no username is entered, the
1578 be prompted to enter a username. If no username is entered, the
1544 default ``USER@HOST`` is used instead.
1579 default ``USER@HOST`` is used instead.
1545 (default: False)
1580 (default: False)
1546
1581
1547 ``clonebundles``
1582 ``clonebundles``
1548 Whether the "clone bundles" feature is enabled.
1583 Whether the "clone bundles" feature is enabled.
1549
1584
1550 When enabled, :hg:`clone` may download and apply a server-advertised
1585 When enabled, :hg:`clone` may download and apply a server-advertised
1551 bundle file from a URL instead of using the normal exchange mechanism.
1586 bundle file from a URL instead of using the normal exchange mechanism.
1552
1587
1553 This can likely result in faster and more reliable clones.
1588 This can likely result in faster and more reliable clones.
1554
1589
1555 (default: True)
1590 (default: True)
1556
1591
1557 ``clonebundlefallback``
1592 ``clonebundlefallback``
1558 Whether failure to apply an advertised "clone bundle" from a server
1593 Whether failure to apply an advertised "clone bundle" from a server
1559 should result in fallback to a regular clone.
1594 should result in fallback to a regular clone.
1560
1595
1561 This is disabled by default because servers advertising "clone
1596 This is disabled by default because servers advertising "clone
1562 bundles" often do so to reduce server load. If advertised bundles
1597 bundles" often do so to reduce server load. If advertised bundles
1563 start mass failing and clients automatically fall back to a regular
1598 start mass failing and clients automatically fall back to a regular
1564 clone, this would add significant and unexpected load to the server
1599 clone, this would add significant and unexpected load to the server
1565 since the server is expecting clone operations to be offloaded to
1600 since the server is expecting clone operations to be offloaded to
1566 pre-generated bundles. Failing fast (the default behavior) ensures
1601 pre-generated bundles. Failing fast (the default behavior) ensures
1567 clients don't overwhelm the server when "clone bundle" application
1602 clients don't overwhelm the server when "clone bundle" application
1568 fails.
1603 fails.
1569
1604
1570 (default: False)
1605 (default: False)
1571
1606
1572 ``clonebundleprefers``
1607 ``clonebundleprefers``
1573 Defines preferences for which "clone bundles" to use.
1608 Defines preferences for which "clone bundles" to use.
1574
1609
1575 Servers advertising "clone bundles" may advertise multiple available
1610 Servers advertising "clone bundles" may advertise multiple available
1576 bundles. Each bundle may have different attributes, such as the bundle
1611 bundles. Each bundle may have different attributes, such as the bundle
1577 type and compression format. This option is used to prefer a particular
1612 type and compression format. This option is used to prefer a particular
1578 bundle over another.
1613 bundle over another.
1579
1614
1580 The following keys are defined by Mercurial:
1615 The following keys are defined by Mercurial:
1581
1616
1582 BUNDLESPEC
1617 BUNDLESPEC
1583 A bundle type specifier. These are strings passed to :hg:`bundle -t`.
1618 A bundle type specifier. These are strings passed to :hg:`bundle -t`.
1584 e.g. ``gzip-v2`` or ``bzip2-v1``.
1619 e.g. ``gzip-v2`` or ``bzip2-v1``.
1585
1620
1586 COMPRESSION
1621 COMPRESSION
1587 The compression format of the bundle. e.g. ``gzip`` and ``bzip2``.
1622 The compression format of the bundle. e.g. ``gzip`` and ``bzip2``.
1588
1623
1589 Server operators may define custom keys.
1624 Server operators may define custom keys.
1590
1625
1591 Example values: ``COMPRESSION=bzip2``,
1626 Example values: ``COMPRESSION=bzip2``,
1592 ``BUNDLESPEC=gzip-v2, COMPRESSION=gzip``.
1627 ``BUNDLESPEC=gzip-v2, COMPRESSION=gzip``.
1593
1628
1594 By default, the first bundle advertised by the server is used.
1629 By default, the first bundle advertised by the server is used.
1595
1630
1596 ``commitsubrepos``
1631 ``commitsubrepos``
1597 Whether to commit modified subrepositories when committing the
1632 Whether to commit modified subrepositories when committing the
1598 parent repository. If False and one subrepository has uncommitted
1633 parent repository. If False and one subrepository has uncommitted
1599 changes, abort the commit.
1634 changes, abort the commit.
1600 (default: False)
1635 (default: False)
1601
1636
1602 ``debug``
1637 ``debug``
1603 Print debugging information. (default: False)
1638 Print debugging information. (default: False)
1604
1639
1605 ``editor``
1640 ``editor``
1606 The editor to use during a commit. (default: ``$EDITOR`` or ``vi``)
1641 The editor to use during a commit. (default: ``$EDITOR`` or ``vi``)
1607
1642
1608 ``fallbackencoding``
1643 ``fallbackencoding``
1609 Encoding to try if it's not possible to decode the changelog using
1644 Encoding to try if it's not possible to decode the changelog using
1610 UTF-8. (default: ISO-8859-1)
1645 UTF-8. (default: ISO-8859-1)
1611
1646
1612 ``graphnodetemplate``
1647 ``graphnodetemplate``
1613 The template used to print changeset nodes in an ASCII revision graph.
1648 The template used to print changeset nodes in an ASCII revision graph.
1614 (default: ``{graphnode}``)
1649 (default: ``{graphnode}``)
1615
1650
1616 ``ignore``
1651 ``ignore``
1617 A file to read per-user ignore patterns from. This file should be
1652 A file to read per-user ignore patterns from. This file should be
1618 in the same format as a repository-wide .hgignore file. Filenames
1653 in the same format as a repository-wide .hgignore file. Filenames
1619 are relative to the repository root. This option supports hook syntax,
1654 are relative to the repository root. This option supports hook syntax,
1620 so if you want to specify multiple ignore files, you can do so by
1655 so if you want to specify multiple ignore files, you can do so by
1621 setting something like ``ignore.other = ~/.hgignore2``. For details
1656 setting something like ``ignore.other = ~/.hgignore2``. For details
1622 of the ignore file format, see the ``hgignore(5)`` man page.
1657 of the ignore file format, see the ``hgignore(5)`` man page.
1623
1658
1624 ``interactive``
1659 ``interactive``
1625 Allow to prompt the user. (default: True)
1660 Allow to prompt the user. (default: True)
1626
1661
1627 ``interface``
1662 ``interface``
1628 Select the default interface for interactive features (default: text).
1663 Select the default interface for interactive features (default: text).
1629 Possible values are 'text' and 'curses'.
1664 Possible values are 'text' and 'curses'.
1630
1665
1631 ``interface.chunkselector``
1666 ``interface.chunkselector``
1632 Select the interface for change recording (e.g. :hg:`commit` -i).
1667 Select the interface for change recording (e.g. :hg:`commit` -i).
1633 Possible values are 'text' and 'curses'.
1668 Possible values are 'text' and 'curses'.
1634 This config overrides the interface specified by ui.interface.
1669 This config overrides the interface specified by ui.interface.
1635
1670
1636 ``logtemplate``
1671 ``logtemplate``
1637 Template string for commands that print changesets.
1672 Template string for commands that print changesets.
1638
1673
1639 ``merge``
1674 ``merge``
1640 The conflict resolution program to use during a manual merge.
1675 The conflict resolution program to use during a manual merge.
1641 For more information on merge tools see :hg:`help merge-tools`.
1676 For more information on merge tools see :hg:`help merge-tools`.
1642 For configuring merge tools see the ``[merge-tools]`` section.
1677 For configuring merge tools see the ``[merge-tools]`` section.
1643
1678
1644 ``mergemarkers``
1679 ``mergemarkers``
1645 Sets the merge conflict marker label styling. The ``detailed``
1680 Sets the merge conflict marker label styling. The ``detailed``
1646 style uses the ``mergemarkertemplate`` setting to style the labels.
1681 style uses the ``mergemarkertemplate`` setting to style the labels.
1647 The ``basic`` style just uses 'local' and 'other' as the marker label.
1682 The ``basic`` style just uses 'local' and 'other' as the marker label.
1648 One of ``basic`` or ``detailed``.
1683 One of ``basic`` or ``detailed``.
1649 (default: ``basic``)
1684 (default: ``basic``)
1650
1685
1651 ``mergemarkertemplate``
1686 ``mergemarkertemplate``
1652 The template used to print the commit description next to each conflict
1687 The template used to print the commit description next to each conflict
1653 marker during merge conflicts. See :hg:`help templates` for the template
1688 marker during merge conflicts. See :hg:`help templates` for the template
1654 format.
1689 format.
1655
1690
1656 Defaults to showing the hash, tags, branches, bookmarks, author, and
1691 Defaults to showing the hash, tags, branches, bookmarks, author, and
1657 the first line of the commit description.
1692 the first line of the commit description.
1658
1693
1659 If you use non-ASCII characters in names for tags, branches, bookmarks,
1694 If you use non-ASCII characters in names for tags, branches, bookmarks,
1660 authors, and/or commit descriptions, you must pay attention to encodings of
1695 authors, and/or commit descriptions, you must pay attention to encodings of
1661 managed files. At template expansion, non-ASCII characters use the encoding
1696 managed files. At template expansion, non-ASCII characters use the encoding
1662 specified by the ``--encoding`` global option, ``HGENCODING`` or other
1697 specified by the ``--encoding`` global option, ``HGENCODING`` or other
1663 environment variables that govern your locale. If the encoding of the merge
1698 environment variables that govern your locale. If the encoding of the merge
1664 markers is different from the encoding of the merged files,
1699 markers is different from the encoding of the merged files,
1665 serious problems may occur.
1700 serious problems may occur.
1666
1701
1667 ``origbackuppath``
1702 ``origbackuppath``
1668 The path to a directory used to store generated .orig files. If the path is
1703 The path to a directory used to store generated .orig files. If the path is
1669 not a directory, one will be created.
1704 not a directory, one will be created.
1670
1705
1671 ``patch``
1706 ``patch``
1672 An optional external tool that ``hg import`` and some extensions
1707 An optional external tool that ``hg import`` and some extensions
1673 will use for applying patches. By default Mercurial uses an
1708 will use for applying patches. By default Mercurial uses an
1674 internal patch utility. The external tool must work as the common
1709 internal patch utility. The external tool must work as the common
1675 Unix ``patch`` program. In particular, it must accept a ``-p``
1710 Unix ``patch`` program. In particular, it must accept a ``-p``
1676 argument to strip patch headers, a ``-d`` argument to specify the
1711 argument to strip patch headers, a ``-d`` argument to specify the
1677 current directory, a file name to patch, and a patch file to take
1712 current directory, a file name to patch, and a patch file to take
1678 from stdin.
1713 from stdin.
1679
1714
1680 It is possible to specify a patch tool together with extra
1715 It is possible to specify a patch tool together with extra
1681 arguments. For example, setting this option to ``patch --merge``
1716 arguments. For example, setting this option to ``patch --merge``
1682 will use the ``patch`` program with its 2-way merge option.
1717 will use the ``patch`` program with its 2-way merge option.
1683
1718
1684 ``portablefilenames``
1719 ``portablefilenames``
1685 Check for portable filenames. Can be ``warn``, ``ignore`` or ``abort``.
1720 Check for portable filenames. Can be ``warn``, ``ignore`` or ``abort``.
1686 (default: ``warn``)
1721 (default: ``warn``)
1687
1722
1688 ``warn``
1723 ``warn``
1689 Print a warning message on POSIX platforms, if a file with a non-portable
1724 Print a warning message on POSIX platforms, if a file with a non-portable
1690 filename is added (e.g. a file with a name that can't be created on
1725 filename is added (e.g. a file with a name that can't be created on
1691 Windows because it contains reserved parts like ``AUX``, reserved
1726 Windows because it contains reserved parts like ``AUX``, reserved
1692 characters like ``:``, or would cause a case collision with an existing
1727 characters like ``:``, or would cause a case collision with an existing
1693 file).
1728 file).
1694
1729
1695 ``ignore``
1730 ``ignore``
1696 Don't print a warning.
1731 Don't print a warning.
1697
1732
1698 ``abort``
1733 ``abort``
1699 The command is aborted.
1734 The command is aborted.
1700
1735
1701 ``true``
1736 ``true``
1702 Alias for ``warn``.
1737 Alias for ``warn``.
1703
1738
1704 ``false``
1739 ``false``
1705 Alias for ``ignore``.
1740 Alias for ``ignore``.
1706
1741
1707 .. container:: windows
1742 .. container:: windows
1708
1743
1709 On Windows, this configuration option is ignored and the command aborted.
1744 On Windows, this configuration option is ignored and the command aborted.
1710
1745
1711 ``quiet``
1746 ``quiet``
1712 Reduce the amount of output printed.
1747 Reduce the amount of output printed.
1713 (default: False)
1748 (default: False)
1714
1749
1715 ``remotecmd``
1750 ``remotecmd``
1716 Remote command to use for clone/push/pull operations.
1751 Remote command to use for clone/push/pull operations.
1717 (default: ``hg``)
1752 (default: ``hg``)
1718
1753
1719 ``report_untrusted``
1754 ``report_untrusted``
1720 Warn if a ``.hg/hgrc`` file is ignored due to not being owned by a
1755 Warn if a ``.hg/hgrc`` file is ignored due to not being owned by a
1721 trusted user or group.
1756 trusted user or group.
1722 (default: True)
1757 (default: True)
1723
1758
1724 ``slash``
1759 ``slash``
1725 Display paths using a slash (``/``) as the path separator. This
1760 Display paths using a slash (``/``) as the path separator. This
1726 only makes a difference on systems where the default path
1761 only makes a difference on systems where the default path
1727 separator is not the slash character (e.g. Windows uses the
1762 separator is not the slash character (e.g. Windows uses the
1728 backslash character (``\``)).
1763 backslash character (``\``)).
1729 (default: False)
1764 (default: False)
1730
1765
1731 ``statuscopies``
1766 ``statuscopies``
1732 Display copies in the status command.
1767 Display copies in the status command.
1733
1768
1734 ``ssh``
1769 ``ssh``
1735 Command to use for SSH connections. (default: ``ssh``)
1770 Command to use for SSH connections. (default: ``ssh``)
1736
1771
1737 ``strict``
1772 ``strict``
1738 Require exact command names, instead of allowing unambiguous
1773 Require exact command names, instead of allowing unambiguous
1739 abbreviations. (default: False)
1774 abbreviations. (default: False)
1740
1775
1741 ``style``
1776 ``style``
1742 Name of style to use for command output.
1777 Name of style to use for command output.
1743
1778
1744 ``supportcontact``
1779 ``supportcontact``
1745 A URL where users should report a Mercurial traceback. Use this if you are a
1780 A URL where users should report a Mercurial traceback. Use this if you are a
1746 large organisation with its own Mercurial deployment process and crash
1781 large organisation with its own Mercurial deployment process and crash
1747 reports should be addressed to your internal support.
1782 reports should be addressed to your internal support.
1748
1783
1749 ``textwidth``
1784 ``textwidth``
1750 Maximum width of help text. A longer line generated by ``hg help`` or
1785 Maximum width of help text. A longer line generated by ``hg help`` or
1751 ``hg subcommand --help`` will be broken after white space to get this
1786 ``hg subcommand --help`` will be broken after white space to get this
1752 width or the terminal width, whichever comes first.
1787 width or the terminal width, whichever comes first.
1753 A non-positive value will disable this and the terminal width will be
1788 A non-positive value will disable this and the terminal width will be
1754 used. (default: 78)
1789 used. (default: 78)
1755
1790
1756 ``timeout``
1791 ``timeout``
1757 The timeout used when a lock is held (in seconds), a negative value
1792 The timeout used when a lock is held (in seconds), a negative value
1758 means no timeout. (default: 600)
1793 means no timeout. (default: 600)
1759
1794
1760 ``traceback``
1795 ``traceback``
1761 Mercurial always prints a traceback when an unknown exception
1796 Mercurial always prints a traceback when an unknown exception
1762 occurs. Setting this to True will make Mercurial print a traceback
1797 occurs. Setting this to True will make Mercurial print a traceback
1763 on all exceptions, even those recognized by Mercurial (such as
1798 on all exceptions, even those recognized by Mercurial (such as
1764 IOError or MemoryError). (default: False)
1799 IOError or MemoryError). (default: False)
1765
1800
1766 ``username``
1801 ``username``
1767 The committer of a changeset created when running "commit".
1802 The committer of a changeset created when running "commit".
1768 Typically a person's name and email address, e.g. ``Fred Widget
1803 Typically a person's name and email address, e.g. ``Fred Widget
1769 <fred@example.com>``. Environment variables in the
1804 <fred@example.com>``. Environment variables in the
1770 username are expanded.
1805 username are expanded.
1771
1806
1772 (default: ``$EMAIL`` or ``username@hostname``. If the username in
1807 (default: ``$EMAIL`` or ``username@hostname``. If the username in
1773 hgrc is empty, e.g. if the system admin set ``username =`` in the
1808 hgrc is empty, e.g. if the system admin set ``username =`` in the
1774 system hgrc, it has to be specified manually or in a different
1809 system hgrc, it has to be specified manually or in a different
1775 hgrc file)
1810 hgrc file)
1776
1811
1777 ``verbose``
1812 ``verbose``
1778 Increase the amount of output printed. (default: False)
1813 Increase the amount of output printed. (default: False)
1779
1814
1780
1815
1781 ``web``
1816 ``web``
1782 -------
1817 -------
1783
1818
1784 Web interface configuration. The settings in this section apply to
1819 Web interface configuration. The settings in this section apply to
1785 both the builtin webserver (started by :hg:`serve`) and the script you
1820 both the builtin webserver (started by :hg:`serve`) and the script you
1786 run through a webserver (``hgweb.cgi`` and the derivatives for FastCGI
1821 run through a webserver (``hgweb.cgi`` and the derivatives for FastCGI
1787 and WSGI).
1822 and WSGI).
1788
1823
1789 The Mercurial webserver does no authentication (it does not prompt for
1824 The Mercurial webserver does no authentication (it does not prompt for
1790 usernames and passwords to validate *who* users are), but it does do
1825 usernames and passwords to validate *who* users are), but it does do
1791 authorization (it grants or denies access for *authenticated users*
1826 authorization (it grants or denies access for *authenticated users*
1792 based on settings in this section). You must either configure your
1827 based on settings in this section). You must either configure your
1793 webserver to do authentication for you, or disable the authorization
1828 webserver to do authentication for you, or disable the authorization
1794 checks.
1829 checks.
1795
1830
1796 For a quick setup in a trusted environment, e.g., a private LAN, where
1831 For a quick setup in a trusted environment, e.g., a private LAN, where
1797 you want it to accept pushes from anybody, you can use the following
1832 you want it to accept pushes from anybody, you can use the following
1798 command line::
1833 command line::
1799
1834
1800 $ hg --config web.allow_push=* --config web.push_ssl=False serve
1835 $ hg --config web.allow_push=* --config web.push_ssl=False serve
1801
1836
1802 Note that this will allow anybody to push anything to the server and
1837 Note that this will allow anybody to push anything to the server and
1803 that this should not be used for public servers.
1838 that this should not be used for public servers.
1804
1839
1805 The full set of options is:
1840 The full set of options is:
1806
1841
1807 ``accesslog``
1842 ``accesslog``
1808 Where to output the access log. (default: stdout)
1843 Where to output the access log. (default: stdout)
1809
1844
1810 ``address``
1845 ``address``
1811 Interface address to bind to. (default: all)
1846 Interface address to bind to. (default: all)
1812
1847
1813 ``allow_archive``
1848 ``allow_archive``
1814 List of archive format (bz2, gz, zip) allowed for downloading.
1849 List of archive format (bz2, gz, zip) allowed for downloading.
1815 (default: empty)
1850 (default: empty)
1816
1851
1817 ``allowbz2``
1852 ``allowbz2``
1818 (DEPRECATED) Whether to allow .tar.bz2 downloading of repository
1853 (DEPRECATED) Whether to allow .tar.bz2 downloading of repository
1819 revisions.
1854 revisions.
1820 (default: False)
1855 (default: False)
1821
1856
1822 ``allowgz``
1857 ``allowgz``
1823 (DEPRECATED) Whether to allow .tar.gz downloading of repository
1858 (DEPRECATED) Whether to allow .tar.gz downloading of repository
1824 revisions.
1859 revisions.
1825 (default: False)
1860 (default: False)
1826
1861
1827 ``allowpull``
1862 ``allowpull``
1828 Whether to allow pulling from the repository. (default: True)
1863 Whether to allow pulling from the repository. (default: True)
1829
1864
1830 ``allow_push``
1865 ``allow_push``
1831 Whether to allow pushing to the repository. If empty or not set,
1866 Whether to allow pushing to the repository. If empty or not set,
1832 pushing is not allowed. If the special value ``*``, any remote
1867 pushing is not allowed. If the special value ``*``, any remote
1833 user can push, including unauthenticated users. Otherwise, the
1868 user can push, including unauthenticated users. Otherwise, the
1834 remote user must have been authenticated, and the authenticated
1869 remote user must have been authenticated, and the authenticated
1835 user name must be present in this list. The contents of the
1870 user name must be present in this list. The contents of the
1836 allow_push list are examined after the deny_push list.
1871 allow_push list are examined after the deny_push list.
1837
1872
1838 ``allow_read``
1873 ``allow_read``
1839 If the user has not already been denied repository access due to
1874 If the user has not already been denied repository access due to
1840 the contents of deny_read, this list determines whether to grant
1875 the contents of deny_read, this list determines whether to grant
1841 repository access to the user. If this list is not empty, and the
1876 repository access to the user. If this list is not empty, and the
1842 user is unauthenticated or not present in the list, then access is
1877 user is unauthenticated or not present in the list, then access is
1843 denied for the user. If the list is empty or not set, then access
1878 denied for the user. If the list is empty or not set, then access
1844 is permitted to all users by default. Setting allow_read to the
1879 is permitted to all users by default. Setting allow_read to the
1845 special value ``*`` is equivalent to it not being set (i.e. access
1880 special value ``*`` is equivalent to it not being set (i.e. access
1846 is permitted to all users). The contents of the allow_read list are
1881 is permitted to all users). The contents of the allow_read list are
1847 examined after the deny_read list.
1882 examined after the deny_read list.
1848
1883
1849 ``allowzip``
1884 ``allowzip``
1850 (DEPRECATED) Whether to allow .zip downloading of repository
1885 (DEPRECATED) Whether to allow .zip downloading of repository
1851 revisions. This feature creates temporary files.
1886 revisions. This feature creates temporary files.
1852 (default: False)
1887 (default: False)
1853
1888
1854 ``archivesubrepos``
1889 ``archivesubrepos``
1855 Whether to recurse into subrepositories when archiving.
1890 Whether to recurse into subrepositories when archiving.
1856 (default: False)
1891 (default: False)
1857
1892
1858 ``baseurl``
1893 ``baseurl``
1859 Base URL to use when publishing URLs in other locations, so
1894 Base URL to use when publishing URLs in other locations, so
1860 third-party tools like email notification hooks can construct
1895 third-party tools like email notification hooks can construct
1861 URLs. Example: ``http://hgserver/repos/``.
1896 URLs. Example: ``http://hgserver/repos/``.
1862
1897
1863 ``cacerts``
1898 ``cacerts``
1864 Path to file containing a list of PEM encoded certificate
1899 Path to file containing a list of PEM encoded certificate
1865 authority certificates. Environment variables and ``~user``
1900 authority certificates. Environment variables and ``~user``
1866 constructs are expanded in the filename. If specified on the
1901 constructs are expanded in the filename. If specified on the
1867 client, then it will verify the identity of remote HTTPS servers
1902 client, then it will verify the identity of remote HTTPS servers
1868 with these certificates.
1903 with these certificates.
1869
1904
1870 To disable SSL verification temporarily, specify ``--insecure`` from
1905 To disable SSL verification temporarily, specify ``--insecure`` from
1871 command line.
1906 command line.
1872
1907
1873 You can use OpenSSL's CA certificate file if your platform has
1908 You can use OpenSSL's CA certificate file if your platform has
1874 one. On most Linux systems this will be
1909 one. On most Linux systems this will be
1875 ``/etc/ssl/certs/ca-certificates.crt``. Otherwise you will have to
1910 ``/etc/ssl/certs/ca-certificates.crt``. Otherwise you will have to
1876 generate this file manually. The form must be as follows::
1911 generate this file manually. The form must be as follows::
1877
1912
1878 -----BEGIN CERTIFICATE-----
1913 -----BEGIN CERTIFICATE-----
1879 ... (certificate in base64 PEM encoding) ...
1914 ... (certificate in base64 PEM encoding) ...
1880 -----END CERTIFICATE-----
1915 -----END CERTIFICATE-----
1881 -----BEGIN CERTIFICATE-----
1916 -----BEGIN CERTIFICATE-----
1882 ... (certificate in base64 PEM encoding) ...
1917 ... (certificate in base64 PEM encoding) ...
1883 -----END CERTIFICATE-----
1918 -----END CERTIFICATE-----
1884
1919
1885 ``cache``
1920 ``cache``
1886 Whether to support caching in hgweb. (default: True)
1921 Whether to support caching in hgweb. (default: True)
1887
1922
1888 ``certificate``
1923 ``certificate``
1889 Certificate to use when running :hg:`serve`.
1924 Certificate to use when running :hg:`serve`.
1890
1925
1891 ``collapse``
1926 ``collapse``
1892 With ``descend`` enabled, repositories in subdirectories are shown at
1927 With ``descend`` enabled, repositories in subdirectories are shown at
1893 a single level alongside repositories in the current path. With
1928 a single level alongside repositories in the current path. With
1894 ``collapse`` also enabled, repositories residing at a deeper level than
1929 ``collapse`` also enabled, repositories residing at a deeper level than
1895 the current path are grouped behind navigable directory entries that
1930 the current path are grouped behind navigable directory entries that
1896 lead to the locations of these repositories. In effect, this setting
1931 lead to the locations of these repositories. In effect, this setting
1897 collapses each collection of repositories found within a subdirectory
1932 collapses each collection of repositories found within a subdirectory
1898 into a single entry for that subdirectory. (default: False)
1933 into a single entry for that subdirectory. (default: False)
1899
1934
1900 ``comparisoncontext``
1935 ``comparisoncontext``
1901 Number of lines of context to show in side-by-side file comparison. If
1936 Number of lines of context to show in side-by-side file comparison. If
1902 negative or the value ``full``, whole files are shown. (default: 5)
1937 negative or the value ``full``, whole files are shown. (default: 5)
1903
1938
1904 This setting can be overridden by a ``context`` request parameter to the
1939 This setting can be overridden by a ``context`` request parameter to the
1905 ``comparison`` command, taking the same values.
1940 ``comparison`` command, taking the same values.
1906
1941
1907 ``contact``
1942 ``contact``
1908 Name or email address of the person in charge of the repository.
1943 Name or email address of the person in charge of the repository.
1909 (default: ui.username or ``$EMAIL`` or "unknown" if unset or empty)
1944 (default: ui.username or ``$EMAIL`` or "unknown" if unset or empty)
1910
1945
1911 ``deny_push``
1946 ``deny_push``
1912 Whether to deny pushing to the repository. If empty or not set,
1947 Whether to deny pushing to the repository. If empty or not set,
1913 push is not denied. If the special value ``*``, all remote users are
1948 push is not denied. If the special value ``*``, all remote users are
1914 denied push. Otherwise, unauthenticated users are all denied, and
1949 denied push. Otherwise, unauthenticated users are all denied, and
1915 any authenticated user name present in this list is also denied. The
1950 any authenticated user name present in this list is also denied. The
1916 contents of the deny_push list are examined before the allow_push list.
1951 contents of the deny_push list are examined before the allow_push list.
1917
1952
1918 ``deny_read``
1953 ``deny_read``
1919 Whether to deny reading/viewing of the repository. If this list is
1954 Whether to deny reading/viewing of the repository. If this list is
1920 not empty, unauthenticated users are all denied, and any
1955 not empty, unauthenticated users are all denied, and any
1921 authenticated user name present in this list is also denied access to
1956 authenticated user name present in this list is also denied access to
1922 the repository. If set to the special value ``*``, all remote users
1957 the repository. If set to the special value ``*``, all remote users
1923 are denied access (rarely needed ;). If deny_read is empty or not set,
1958 are denied access (rarely needed ;). If deny_read is empty or not set,
1924 the determination of repository access depends on the presence and
1959 the determination of repository access depends on the presence and
1925 content of the allow_read list (see description). If both
1960 content of the allow_read list (see description). If both
1926 deny_read and allow_read are empty or not set, then access is
1961 deny_read and allow_read are empty or not set, then access is
1927 permitted to all users by default. If the repository is being
1962 permitted to all users by default. If the repository is being
1928 served via hgwebdir, denied users will not be able to see it in
1963 served via hgwebdir, denied users will not be able to see it in
1929 the list of repositories. The contents of the deny_read list have
1964 the list of repositories. The contents of the deny_read list have
1930 priority over (are examined before) the contents of the allow_read
1965 priority over (are examined before) the contents of the allow_read
1931 list.
1966 list.
1932
1967
1933 ``descend``
1968 ``descend``
1934 hgwebdir indexes will not descend into subdirectories. Only repositories
1969 hgwebdir indexes will not descend into subdirectories. Only repositories
1935 directly in the current path will be shown (other repositories are still
1970 directly in the current path will be shown (other repositories are still
1936 available from the index corresponding to their containing path).
1971 available from the index corresponding to their containing path).
1937
1972
1938 ``description``
1973 ``description``
1939 Textual description of the repository's purpose or contents.
1974 Textual description of the repository's purpose or contents.
1940 (default: "unknown")
1975 (default: "unknown")
1941
1976
1942 ``encoding``
1977 ``encoding``
1943 Character encoding name. (default: the current locale charset)
1978 Character encoding name. (default: the current locale charset)
1944 Example: "UTF-8".
1979 Example: "UTF-8".
1945
1980
1946 ``errorlog``
1981 ``errorlog``
1947 Where to output the error log. (default: stderr)
1982 Where to output the error log. (default: stderr)
1948
1983
1949 ``guessmime``
1984 ``guessmime``
1950 Control MIME types for raw download of file content.
1985 Control MIME types for raw download of file content.
1951 Set to True to let hgweb guess the content type from the file
1986 Set to True to let hgweb guess the content type from the file
1952 extension. This will serve HTML files as ``text/html`` and might
1987 extension. This will serve HTML files as ``text/html`` and might
1953 allow cross-site scripting attacks when serving untrusted
1988 allow cross-site scripting attacks when serving untrusted
1954 repositories. (default: False)
1989 repositories. (default: False)
1955
1990
1956 ``hidden``
1991 ``hidden``
1957 Whether to hide the repository in the hgwebdir index.
1992 Whether to hide the repository in the hgwebdir index.
1958 (default: False)
1993 (default: False)
1959
1994
1960 ``ipv6``
1995 ``ipv6``
1961 Whether to use IPv6. (default: False)
1996 Whether to use IPv6. (default: False)
1962
1997
1963 ``logoimg``
1998 ``logoimg``
1964 File name of the logo image that some templates display on each page.
1999 File name of the logo image that some templates display on each page.
1965 The file name is relative to ``staticurl``. That is, the full path to
2000 The file name is relative to ``staticurl``. That is, the full path to
1966 the logo image is "staticurl/logoimg".
2001 the logo image is "staticurl/logoimg".
1967 If unset, ``hglogo.png`` will be used.
2002 If unset, ``hglogo.png`` will be used.
1968
2003
1969 ``logourl``
2004 ``logourl``
1970 Base URL to use for logos. If unset, ``https://mercurial-scm.org/``
2005 Base URL to use for logos. If unset, ``https://mercurial-scm.org/``
1971 will be used.
2006 will be used.
1972
2007
1973 ``maxchanges``
2008 ``maxchanges``
1974 Maximum number of changes to list on the changelog. (default: 10)
2009 Maximum number of changes to list on the changelog. (default: 10)
1975
2010
1976 ``maxfiles``
2011 ``maxfiles``
1977 Maximum number of files to list per changeset. (default: 10)
2012 Maximum number of files to list per changeset. (default: 10)
1978
2013
1979 ``maxshortchanges``
2014 ``maxshortchanges``
1980 Maximum number of changes to list on the shortlog, graph or filelog
2015 Maximum number of changes to list on the shortlog, graph or filelog
1981 pages. (default: 60)
2016 pages. (default: 60)
1982
2017
1983 ``name``
2018 ``name``
1984 Repository name to use in the web interface.
2019 Repository name to use in the web interface.
1985 (default: current working directory)
2020 (default: current working directory)
1986
2021
1987 ``port``
2022 ``port``
1988 Port to listen on. (default: 8000)
2023 Port to listen on. (default: 8000)
1989
2024
1990 ``prefix``
2025 ``prefix``
1991 Prefix path to serve from. (default: '' (server root))
2026 Prefix path to serve from. (default: '' (server root))
1992
2027
1993 ``push_ssl``
2028 ``push_ssl``
1994 Whether to require that inbound pushes be transported over SSL to
2029 Whether to require that inbound pushes be transported over SSL to
1995 prevent password sniffing. (default: True)
2030 prevent password sniffing. (default: True)
1996
2031
1997 ``refreshinterval``
2032 ``refreshinterval``
1998 How frequently directory listings re-scan the filesystem for new
2033 How frequently directory listings re-scan the filesystem for new
1999 repositories, in seconds. This is relevant when wildcards are used
2034 repositories, in seconds. This is relevant when wildcards are used
2000 to define paths. Depending on how much filesystem traversal is
2035 to define paths. Depending on how much filesystem traversal is
2001 required, refreshing may negatively impact performance.
2036 required, refreshing may negatively impact performance.
2002
2037
2003 Values less than or equal to 0 always refresh.
2038 Values less than or equal to 0 always refresh.
2004 (default: 20)
2039 (default: 20)
2005
2040
2006 ``staticurl``
2041 ``staticurl``
2007 Base URL to use for static files. If unset, static files (e.g. the
2042 Base URL to use for static files. If unset, static files (e.g. the
2008 hgicon.png favicon) will be served by the CGI script itself. Use
2043 hgicon.png favicon) will be served by the CGI script itself. Use
2009 this setting to serve them directly with the HTTP server.
2044 this setting to serve them directly with the HTTP server.
2010 Example: ``http://hgserver/static/``.
2045 Example: ``http://hgserver/static/``.
2011
2046
2012 ``stripes``
2047 ``stripes``
2013 How many lines a "zebra stripe" should span in multi-line output.
2048 How many lines a "zebra stripe" should span in multi-line output.
2014 Set to 0 to disable. (default: 1)
2049 Set to 0 to disable. (default: 1)
2015
2050
2016 ``style``
2051 ``style``
2017 Which template map style to use. The available options are the names of
2052 Which template map style to use. The available options are the names of
2018 subdirectories in the HTML templates path. (default: ``paper``)
2053 subdirectories in the HTML templates path. (default: ``paper``)
2019 Example: ``monoblue``.
2054 Example: ``monoblue``.
2020
2055
2021 ``templates``
2056 ``templates``
2022 Where to find the HTML templates. The default path to the HTML templates
2057 Where to find the HTML templates. The default path to the HTML templates
2023 can be obtained from ``hg debuginstall``.
2058 can be obtained from ``hg debuginstall``.
2024
2059
2025 ``websub``
2060 ``websub``
2026 ----------
2061 ----------
2027
2062
2028 Web substitution filter definition. You can use this section to
2063 Web substitution filter definition. You can use this section to
2029 define a set of regular expression substitution patterns which
2064 define a set of regular expression substitution patterns which
2030 let you automatically modify the hgweb server output.
2065 let you automatically modify the hgweb server output.
2031
2066
2032 The default hgweb templates only apply these substitution patterns
2067 The default hgweb templates only apply these substitution patterns
2033 on the revision description fields. You can apply them anywhere
2068 on the revision description fields. You can apply them anywhere
2034 you want when you create your own templates by adding calls to the
2069 you want when you create your own templates by adding calls to the
2035 "websub" filter (usually after calling the "escape" filter).
2070 "websub" filter (usually after calling the "escape" filter).
2036
2071
2037 This can be used, for example, to convert issue references to links
2072 This can be used, for example, to convert issue references to links
2038 to your issue tracker, or to convert "markdown-like" syntax into
2073 to your issue tracker, or to convert "markdown-like" syntax into
2039 HTML (see the examples below).
2074 HTML (see the examples below).
2040
2075
2041 Each entry in this section names a substitution filter.
2076 Each entry in this section names a substitution filter.
2042 The value of each entry defines the substitution expression itself.
2077 The value of each entry defines the substitution expression itself.
2043 The websub expressions follow the old interhg extension syntax,
2078 The websub expressions follow the old interhg extension syntax,
2044 which in turn imitates the Unix sed replacement syntax::
2079 which in turn imitates the Unix sed replacement syntax::
2045
2080
2046 patternname = s/SEARCH_REGEX/REPLACE_EXPRESSION/[i]
2081 patternname = s/SEARCH_REGEX/REPLACE_EXPRESSION/[i]
2047
2082
2048 You can use any separator other than "/". The final "i" is optional
2083 You can use any separator other than "/". The final "i" is optional
2049 and indicates that the search must be case insensitive.
2084 and indicates that the search must be case insensitive.
2050
2085
2051 Examples::
2086 Examples::
2052
2087
2053 [websub]
2088 [websub]
2054 issues = s|issue(\d+)|<a href="http://bts.example.org/issue\1">issue\1</a>|i
2089 issues = s|issue(\d+)|<a href="http://bts.example.org/issue\1">issue\1</a>|i
2055 italic = s/\b_(\S+)_\b/<i>\1<\/i>/
2090 italic = s/\b_(\S+)_\b/<i>\1<\/i>/
2056 bold = s/\*\b(\S+)\b\*/<b>\1<\/b>/
2091 bold = s/\*\b(\S+)\b\*/<b>\1<\/b>/
2057
2092
2058 ``worker``
2093 ``worker``
2059 ----------
2094 ----------
2060
2095
2061 Parallel master/worker configuration. We currently perform working
2096 Parallel master/worker configuration. We currently perform working
2062 directory updates in parallel on Unix-like systems, which greatly
2097 directory updates in parallel on Unix-like systems, which greatly
2063 helps performance.
2098 helps performance.
2064
2099
2065 ``numcpus``
2100 ``numcpus``
2066 Number of CPUs to use for parallel operations. A zero or
2101 Number of CPUs to use for parallel operations. A zero or
2067 negative value is treated as ``use the default``.
2102 negative value is treated as ``use the default``.
2068 (default: 4 or the number of CPUs on the system, whichever is larger)
2103 (default: 4 or the number of CPUs on the system, whichever is larger)
2069
2104
2070 ``backgroundclose``
2105 ``backgroundclose``
2071 Whether to enable closing file handles on background threads during certain
2106 Whether to enable closing file handles on background threads during certain
2072 operations. Some platforms aren't very efficient at closing file
2107 operations. Some platforms aren't very efficient at closing file
2073 handles that have been written or appended to. By performing file closing
2108 handles that have been written or appended to. By performing file closing
2074 on background threads, file write rate can increase substantially.
2109 on background threads, file write rate can increase substantially.
2075 (default: true on Windows, false elsewhere)
2110 (default: true on Windows, false elsewhere)
2076
2111
2077 ``backgroundcloseminfilecount``
2112 ``backgroundcloseminfilecount``
2078 Minimum number of files required to trigger background file closing.
2113 Minimum number of files required to trigger background file closing.
2079 Operations not writing this many files won't start background close
2114 Operations not writing this many files won't start background close
2080 threads.
2115 threads.
2081 (default: 2048)
2116 (default: 2048)
2082
2117
2083 ``backgroundclosemaxqueue``
2118 ``backgroundclosemaxqueue``
2084 The maximum number of opened file handles waiting to be closed in the
2119 The maximum number of opened file handles waiting to be closed in the
2085 background. This option only has an effect if ``backgroundclose`` is
2120 background. This option only has an effect if ``backgroundclose`` is
2086 enabled.
2121 enabled.
2087 (default: 384)
2122 (default: 384)
2088
2123
2089 ``backgroundclosethreadcount``
2124 ``backgroundclosethreadcount``
2090 Number of threads to process background file closes. Only relevant if
2125 Number of threads to process background file closes. Only relevant if
2091 ``backgroundclose`` is enabled.
2126 ``backgroundclose`` is enabled.
2092 (default: 4)
2127 (default: 4)
Show file before | Show file after | Hide comments
@@ -1,384 +1,399
1 # sslutil.py - SSL handling for mercurial
1 # sslutil.py - SSL handling for mercurial
2 #
2 #
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
3 # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
4 # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5 # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
6 #
6 #
7 # This software may be used and distributed according to the terms of the
7 # This software may be used and distributed according to the terms of the
8 # GNU General Public License version 2 or any later version.
8 # GNU General Public License version 2 or any later version.
9
9
10 from __future__ import absolute_import
10 from __future__ import absolute_import
11
11
12 import os
12 import os
13 import ssl
13 import ssl
14 import sys
14 import sys
15
15
16 from .i18n import _
16 from .i18n import _
17 from . import (
17 from . import (
18 error,
18 error,
19 util,
19 util,
20 )
20 )
21
21
22 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
22 # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
23 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
23 # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
24 # all exposed via the "ssl" module.
24 # all exposed via the "ssl" module.
25 #
25 #
26 # Depending on the version of Python being used, SSL/TLS support is either
26 # Depending on the version of Python being used, SSL/TLS support is either
27 # modern/secure or legacy/insecure. Many operations in this module have
27 # modern/secure or legacy/insecure. Many operations in this module have
28 # separate code paths depending on support in Python.
28 # separate code paths depending on support in Python.
29
29
30 hassni = getattr(ssl, 'HAS_SNI', False)
30 hassni = getattr(ssl, 'HAS_SNI', False)
31
31
32 try:
32 try:
33 OP_NO_SSLv2 = ssl.OP_NO_SSLv2
33 OP_NO_SSLv2 = ssl.OP_NO_SSLv2
34 OP_NO_SSLv3 = ssl.OP_NO_SSLv3
34 OP_NO_SSLv3 = ssl.OP_NO_SSLv3
35 except AttributeError:
35 except AttributeError:
36 OP_NO_SSLv2 = 0x1000000
36 OP_NO_SSLv2 = 0x1000000
37 OP_NO_SSLv3 = 0x2000000
37 OP_NO_SSLv3 = 0x2000000
38
38
39 try:
39 try:
40 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
40 # ssl.SSLContext was added in 2.7.9 and presence indicates modern
41 # SSL/TLS features are available.
41 # SSL/TLS features are available.
42 SSLContext = ssl.SSLContext
42 SSLContext = ssl.SSLContext
43 modernssl = True
43 modernssl = True
44 _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
44 _canloaddefaultcerts = util.safehasattr(SSLContext, 'load_default_certs')
45 except AttributeError:
45 except AttributeError:
46 modernssl = False
46 modernssl = False
47 _canloaddefaultcerts = False
47 _canloaddefaultcerts = False
48
48
49 # We implement SSLContext using the interface from the standard library.
49 # We implement SSLContext using the interface from the standard library.
50 class SSLContext(object):
50 class SSLContext(object):
51 # ssl.wrap_socket gained the "ciphers" named argument in 2.7.
51 # ssl.wrap_socket gained the "ciphers" named argument in 2.7.
52 _supportsciphers = sys.version_info >= (2, 7)
52 _supportsciphers = sys.version_info >= (2, 7)
53
53
54 def __init__(self, protocol):
54 def __init__(self, protocol):
55 # From the public interface of SSLContext
55 # From the public interface of SSLContext
56 self.protocol = protocol
56 self.protocol = protocol
57 self.check_hostname = False
57 self.check_hostname = False
58 self.options = 0
58 self.options = 0
59 self.verify_mode = ssl.CERT_NONE
59 self.verify_mode = ssl.CERT_NONE
60
60
61 # Used by our implementation.
61 # Used by our implementation.
62 self._certfile = None
62 self._certfile = None
63 self._keyfile = None
63 self._keyfile = None
64 self._certpassword = None
64 self._certpassword = None
65 self._cacerts = None
65 self._cacerts = None
66 self._ciphers = None
66 self._ciphers = None
67
67
68 def load_cert_chain(self, certfile, keyfile=None, password=None):
68 def load_cert_chain(self, certfile, keyfile=None, password=None):
69 self._certfile = certfile
69 self._certfile = certfile
70 self._keyfile = keyfile
70 self._keyfile = keyfile
71 self._certpassword = password
71 self._certpassword = password
72
72
73 def load_default_certs(self, purpose=None):
73 def load_default_certs(self, purpose=None):
74 pass
74 pass
75
75
76 def load_verify_locations(self, cafile=None, capath=None, cadata=None):
76 def load_verify_locations(self, cafile=None, capath=None, cadata=None):
77 if capath:
77 if capath:
78 raise error.Abort('capath not supported')
78 raise error.Abort('capath not supported')
79 if cadata:
79 if cadata:
80 raise error.Abort('cadata not supported')
80 raise error.Abort('cadata not supported')
81
81
82 self._cacerts = cafile
82 self._cacerts = cafile
83
83
84 def set_ciphers(self, ciphers):
84 def set_ciphers(self, ciphers):
85 if not self._supportsciphers:
85 if not self._supportsciphers:
86 raise error.Abort('setting ciphers not supported')
86 raise error.Abort('setting ciphers not supported')
87
87
88 self._ciphers = ciphers
88 self._ciphers = ciphers
89
89
90 def wrap_socket(self, socket, server_hostname=None, server_side=False):
90 def wrap_socket(self, socket, server_hostname=None, server_side=False):
91 # server_hostname is unique to SSLContext.wrap_socket and is used
91 # server_hostname is unique to SSLContext.wrap_socket and is used
92 # for SNI in that context. So there's nothing for us to do with it
92 # for SNI in that context. So there's nothing for us to do with it
93 # in this legacy code since we don't support SNI.
93 # in this legacy code since we don't support SNI.
94
94
95 args = {
95 args = {
96 'keyfile': self._keyfile,
96 'keyfile': self._keyfile,
97 'certfile': self._certfile,
97 'certfile': self._certfile,
98 'server_side': server_side,
98 'server_side': server_side,
99 'cert_reqs': self.verify_mode,
99 'cert_reqs': self.verify_mode,
100 'ssl_version': self.protocol,
100 'ssl_version': self.protocol,
101 'ca_certs': self._cacerts,
101 'ca_certs': self._cacerts,
102 }
102 }
103
103
104 if self._supportsciphers:
104 if self._supportsciphers:
105 args['ciphers'] = self._ciphers
105 args['ciphers'] = self._ciphers
106
106
107 return ssl.wrap_socket(socket, **args)
107 return ssl.wrap_socket(socket, **args)
108
108
109 def _hostsettings(ui, hostname):
109 def _hostsettings(ui, hostname):
110 """Obtain security settings for a hostname.
110 """Obtain security settings for a hostname.
111
111
112 Returns a dict of settings relevant to that hostname.
112 Returns a dict of settings relevant to that hostname.
113 """
113 """
114 s = {
114 s = {
115 # List of 2-tuple of (hash algorithm, hash).
115 # List of 2-tuple of (hash algorithm, hash).
116 'certfingerprints': [],
116 'certfingerprints': [],
117 # Path to file containing concatenated CA certs. Used by
117 # Path to file containing concatenated CA certs. Used by
118 # SSLContext.load_verify_locations().
118 # SSLContext.load_verify_locations().
119 'cafile': None,
119 'cafile': None,
120 # ssl.CERT_* constant used by SSLContext.verify_mode.
120 # ssl.CERT_* constant used by SSLContext.verify_mode.
121 'verifymode': None,
121 'verifymode': None,
122 }
122 }
123
123
124 # Look for fingerprints in [hostsecurity] section. Value is a list
125 # of <alg>:<fingerprint> strings.
126 fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
127 [])
128 for fingerprint in fingerprints:
129 if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
130 raise error.Abort(_('invalid fingerprint for %s: %s') % (
131 hostname, fingerprint),
132 hint=_('must begin with "sha1:", "sha256:", '
133 'or "sha512:"'))
134
135 alg, fingerprint = fingerprint.split(':', 1)
136 fingerprint = fingerprint.replace(':', '').lower()
137 s['certfingerprints'].append((alg, fingerprint))
138
124 # Fingerprints from [hostfingerprints] are always SHA-1.
139 # Fingerprints from [hostfingerprints] are always SHA-1.
125 for fingerprint in ui.configlist('hostfingerprints', hostname, []):
140 for fingerprint in ui.configlist('hostfingerprints', hostname, []):
126 fingerprint = fingerprint.replace(':', '').lower()
141 fingerprint = fingerprint.replace(':', '').lower()
127 s['certfingerprints'].append(('sha1', fingerprint))
142 s['certfingerprints'].append(('sha1', fingerprint))
128
143
129 # If a host cert fingerprint is defined, it is the only thing that
144 # If a host cert fingerprint is defined, it is the only thing that
130 # matters. No need to validate CA certs.
145 # matters. No need to validate CA certs.
131 if s['certfingerprints']:
146 if s['certfingerprints']:
132 s['verifymode'] = ssl.CERT_NONE
147 s['verifymode'] = ssl.CERT_NONE
133
148
134 # If --insecure is used, don't take CAs into consideration.
149 # If --insecure is used, don't take CAs into consideration.
135 elif ui.insecureconnections:
150 elif ui.insecureconnections:
136 s['verifymode'] = ssl.CERT_NONE
151 s['verifymode'] = ssl.CERT_NONE
137
152
138 # Try to hook up CA certificate validation unless something above
153 # Try to hook up CA certificate validation unless something above
139 # makes it not necessary.
154 # makes it not necessary.
140 if s['verifymode'] is None:
155 if s['verifymode'] is None:
141 # Find global certificates file in config.
156 # Find global certificates file in config.
142 cafile = ui.config('web', 'cacerts')
157 cafile = ui.config('web', 'cacerts')
143
158
144 if cafile:
159 if cafile:
145 cafile = util.expandpath(cafile)
160 cafile = util.expandpath(cafile)
146 if not os.path.exists(cafile):
161 if not os.path.exists(cafile):
147 raise error.Abort(_('could not find web.cacerts: %s') % cafile)
162 raise error.Abort(_('could not find web.cacerts: %s') % cafile)
148 else:
163 else:
149 # No global CA certs. See if we can load defaults.
164 # No global CA certs. See if we can load defaults.
150 cafile = _defaultcacerts()
165 cafile = _defaultcacerts()
151 if cafile:
166 if cafile:
152 ui.debug('using %s to enable OS X system CA\n' % cafile)
167 ui.debug('using %s to enable OS X system CA\n' % cafile)
153
168
154 s['cafile'] = cafile
169 s['cafile'] = cafile
155
170
156 # Require certificate validation if CA certs are being loaded and
171 # Require certificate validation if CA certs are being loaded and
157 # verification hasn't been disabled above.
172 # verification hasn't been disabled above.
158 if cafile or _canloaddefaultcerts:
173 if cafile or _canloaddefaultcerts:
159 s['verifymode'] = ssl.CERT_REQUIRED
174 s['verifymode'] = ssl.CERT_REQUIRED
160 else:
175 else:
161 # At this point we don't have a fingerprint, aren't being
176 # At this point we don't have a fingerprint, aren't being
162 # explicitly insecure, and can't load CA certs. Connecting
177 # explicitly insecure, and can't load CA certs. Connecting
163 # at this point is insecure. But we do it for BC reasons.
178 # at this point is insecure. But we do it for BC reasons.
164 # TODO abort here to make secure by default.
179 # TODO abort here to make secure by default.
165 s['verifymode'] = ssl.CERT_NONE
180 s['verifymode'] = ssl.CERT_NONE
166
181
167 assert s['verifymode'] is not None
182 assert s['verifymode'] is not None
168
183
169 return s
184 return s
170
185
171 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
186 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None):
172 """Add SSL/TLS to a socket.
187 """Add SSL/TLS to a socket.
173
188
174 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
189 This is a glorified wrapper for ``ssl.wrap_socket()``. It makes sane
175 choices based on what security options are available.
190 choices based on what security options are available.
176
191
177 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
192 In addition to the arguments supported by ``ssl.wrap_socket``, we allow
178 the following additional arguments:
193 the following additional arguments:
179
194
180 * serverhostname - The expected hostname of the remote server. If the
195 * serverhostname - The expected hostname of the remote server. If the
181 server (and client) support SNI, this tells the server which certificate
196 server (and client) support SNI, this tells the server which certificate
182 to use.
197 to use.
183 """
198 """
184 if not serverhostname:
199 if not serverhostname:
185 raise error.Abort('serverhostname argument is required')
200 raise error.Abort('serverhostname argument is required')
186
201
187 settings = _hostsettings(ui, serverhostname)
202 settings = _hostsettings(ui, serverhostname)
188
203
189 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
204 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol
190 # that both ends support, including TLS protocols. On legacy stacks,
205 # that both ends support, including TLS protocols. On legacy stacks,
191 # the highest it likely goes in TLS 1.0. On modern stacks, it can
206 # the highest it likely goes in TLS 1.0. On modern stacks, it can
192 # support TLS 1.2.
207 # support TLS 1.2.
193 #
208 #
194 # The PROTOCOL_TLSv* constants select a specific TLS version
209 # The PROTOCOL_TLSv* constants select a specific TLS version
195 # only (as opposed to multiple versions). So the method for
210 # only (as opposed to multiple versions). So the method for
196 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
211 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and
197 # disable protocols via SSLContext.options and OP_NO_* constants.
212 # disable protocols via SSLContext.options and OP_NO_* constants.
198 # However, SSLContext.options doesn't work unless we have the
213 # However, SSLContext.options doesn't work unless we have the
199 # full/real SSLContext available to us.
214 # full/real SSLContext available to us.
200 #
215 #
201 # SSLv2 and SSLv3 are broken. We ban them outright.
216 # SSLv2 and SSLv3 are broken. We ban them outright.
202 if modernssl:
217 if modernssl:
203 protocol = ssl.PROTOCOL_SSLv23
218 protocol = ssl.PROTOCOL_SSLv23
204 else:
219 else:
205 protocol = ssl.PROTOCOL_TLSv1
220 protocol = ssl.PROTOCOL_TLSv1
206
221
207 # TODO use ssl.create_default_context() on modernssl.
222 # TODO use ssl.create_default_context() on modernssl.
208 sslcontext = SSLContext(protocol)
223 sslcontext = SSLContext(protocol)
209
224
210 # This is a no-op on old Python.
225 # This is a no-op on old Python.
211 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
226 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
212
227
213 # This still works on our fake SSLContext.
228 # This still works on our fake SSLContext.
214 sslcontext.verify_mode = settings['verifymode']
229 sslcontext.verify_mode = settings['verifymode']
215
230
216 if certfile is not None:
231 if certfile is not None:
217 def password():
232 def password():
218 f = keyfile or certfile
233 f = keyfile or certfile
219 return ui.getpass(_('passphrase for %s: ') % f, '')
234 return ui.getpass(_('passphrase for %s: ') % f, '')
220 sslcontext.load_cert_chain(certfile, keyfile, password)
235 sslcontext.load_cert_chain(certfile, keyfile, password)
221
236
222 if settings['cafile'] is not None:
237 if settings['cafile'] is not None:
223 sslcontext.load_verify_locations(cafile=settings['cafile'])
238 sslcontext.load_verify_locations(cafile=settings['cafile'])
224 caloaded = True
239 caloaded = True
225 else:
240 else:
226 # This is a no-op on old Python.
241 # This is a no-op on old Python.
227 sslcontext.load_default_certs()
242 sslcontext.load_default_certs()
228 caloaded = _canloaddefaultcerts
243 caloaded = _canloaddefaultcerts
229
244
230 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
245 sslsocket = sslcontext.wrap_socket(sock, server_hostname=serverhostname)
231 # check if wrap_socket failed silently because socket had been
246 # check if wrap_socket failed silently because socket had been
232 # closed
247 # closed
233 # - see http://bugs.python.org/issue13721
248 # - see http://bugs.python.org/issue13721
234 if not sslsocket.cipher():
249 if not sslsocket.cipher():
235 raise error.Abort(_('ssl connection failed'))
250 raise error.Abort(_('ssl connection failed'))
236
251
237 sslsocket._hgstate = {
252 sslsocket._hgstate = {
238 'caloaded': caloaded,
253 'caloaded': caloaded,
239 'hostname': serverhostname,
254 'hostname': serverhostname,
240 'settings': settings,
255 'settings': settings,
241 'ui': ui,
256 'ui': ui,
242 }
257 }
243
258
244 return sslsocket
259 return sslsocket
245
260
246 def _verifycert(cert, hostname):
261 def _verifycert(cert, hostname):
247 '''Verify that cert (in socket.getpeercert() format) matches hostname.
262 '''Verify that cert (in socket.getpeercert() format) matches hostname.
248 CRLs is not handled.
263 CRLs is not handled.
249
264
250 Returns error message if any problems are found and None on success.
265 Returns error message if any problems are found and None on success.
251 '''
266 '''
252 if not cert:
267 if not cert:
253 return _('no certificate received')
268 return _('no certificate received')
254 dnsname = hostname.lower()
269 dnsname = hostname.lower()
255 def matchdnsname(certname):
270 def matchdnsname(certname):
256 return (certname == dnsname or
271 return (certname == dnsname or
257 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
272 '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
258
273
259 san = cert.get('subjectAltName', [])
274 san = cert.get('subjectAltName', [])
260 if san:
275 if san:
261 certnames = [value.lower() for key, value in san if key == 'DNS']
276 certnames = [value.lower() for key, value in san if key == 'DNS']
262 for name in certnames:
277 for name in certnames:
263 if matchdnsname(name):
278 if matchdnsname(name):
264 return None
279 return None
265 if certnames:
280 if certnames:
266 return _('certificate is for %s') % ', '.join(certnames)
281 return _('certificate is for %s') % ', '.join(certnames)
267
282
268 # subject is only checked when subjectAltName is empty
283 # subject is only checked when subjectAltName is empty
269 for s in cert.get('subject', []):
284 for s in cert.get('subject', []):
270 key, value = s[0]
285 key, value = s[0]
271 if key == 'commonName':
286 if key == 'commonName':
272 try:
287 try:
273 # 'subject' entries are unicode
288 # 'subject' entries are unicode
274 certname = value.lower().encode('ascii')
289 certname = value.lower().encode('ascii')
275 except UnicodeEncodeError:
290 except UnicodeEncodeError:
276 return _('IDN in certificate not supported')
291 return _('IDN in certificate not supported')
277 if matchdnsname(certname):
292 if matchdnsname(certname):
278 return None
293 return None
279 return _('certificate is for %s') % certname
294 return _('certificate is for %s') % certname
280 return _('no commonName or subjectAltName found in certificate')
295 return _('no commonName or subjectAltName found in certificate')
281
296
282
297
283 # CERT_REQUIRED means fetch the cert from the server all the time AND
298 # CERT_REQUIRED means fetch the cert from the server all the time AND
284 # validate it against the CA store provided in web.cacerts.
299 # validate it against the CA store provided in web.cacerts.
285
300
286 def _plainapplepython():
301 def _plainapplepython():
287 """return true if this seems to be a pure Apple Python that
302 """return true if this seems to be a pure Apple Python that
288 * is unfrozen and presumably has the whole mercurial module in the file
303 * is unfrozen and presumably has the whole mercurial module in the file
289 system
304 system
290 * presumably is an Apple Python that uses Apple OpenSSL which has patches
305 * presumably is an Apple Python that uses Apple OpenSSL which has patches
291 for using system certificate store CAs in addition to the provided
306 for using system certificate store CAs in addition to the provided
292 cacerts file
307 cacerts file
293 """
308 """
294 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
309 if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
295 return False
310 return False
296 exe = os.path.realpath(sys.executable).lower()
311 exe = os.path.realpath(sys.executable).lower()
297 return (exe.startswith('/usr/bin/python') or
312 return (exe.startswith('/usr/bin/python') or
298 exe.startswith('/system/library/frameworks/python.framework/'))
313 exe.startswith('/system/library/frameworks/python.framework/'))
299
314
300 def _defaultcacerts():
315 def _defaultcacerts():
301 """return path to default CA certificates or None."""
316 """return path to default CA certificates or None."""
302 if _plainapplepython():
317 if _plainapplepython():
303 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
318 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
304 if os.path.exists(dummycert):
319 if os.path.exists(dummycert):
305 return dummycert
320 return dummycert
306
321
307 return None
322 return None
308
323
309 def validatesocket(sock, strict=False):
324 def validatesocket(sock, strict=False):
310 """Validate a socket meets security requiremnets.
325 """Validate a socket meets security requiremnets.
311
326
312 The passed socket must have been created with ``wrapsocket()``.
327 The passed socket must have been created with ``wrapsocket()``.
313 """
328 """
314 host = sock._hgstate['hostname']
329 host = sock._hgstate['hostname']
315 ui = sock._hgstate['ui']
330 ui = sock._hgstate['ui']
316 settings = sock._hgstate['settings']
331 settings = sock._hgstate['settings']
317
332
318 try:
333 try:
319 peercert = sock.getpeercert(True)
334 peercert = sock.getpeercert(True)
320 peercert2 = sock.getpeercert()
335 peercert2 = sock.getpeercert()
321 except AttributeError:
336 except AttributeError:
322 raise error.Abort(_('%s ssl connection error') % host)
337 raise error.Abort(_('%s ssl connection error') % host)
323
338
324 if not peercert:
339 if not peercert:
325 raise error.Abort(_('%s certificate error: '
340 raise error.Abort(_('%s certificate error: '
326 'no certificate received') % host)
341 'no certificate received') % host)
327
342
328 # If a certificate fingerprint is pinned, use it and only it to
343 # If a certificate fingerprint is pinned, use it and only it to
329 # validate the remote cert.
344 # validate the remote cert.
330 peerfingerprints = {
345 peerfingerprints = {
331 'sha1': util.sha1(peercert).hexdigest(),
346 'sha1': util.sha1(peercert).hexdigest(),
332 'sha256': util.sha256(peercert).hexdigest(),
347 'sha256': util.sha256(peercert).hexdigest(),
333 'sha512': util.sha512(peercert).hexdigest(),
348 'sha512': util.sha512(peercert).hexdigest(),
334 }
349 }
335 nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2]
350 nicefingerprint = ':'.join([peerfingerprints['sha1'][x:x + 2]
336 for x in range(0, len(peerfingerprints['sha1']), 2)])
351 for x in range(0, len(peerfingerprints['sha1']), 2)])
337
352
338 if settings['certfingerprints']:
353 if settings['certfingerprints']:
339 fingerprintmatch = False
354 fingerprintmatch = False
340 for hash, fingerprint in settings['certfingerprints']:
355 for hash, fingerprint in settings['certfingerprints']:
341 if peerfingerprints[hash].lower() == fingerprint:
356 if peerfingerprints[hash].lower() == fingerprint:
342 fingerprintmatch = True
357 fingerprintmatch = True
343 break
358 break
344 if not fingerprintmatch:
359 if not fingerprintmatch:
345 raise error.Abort(_('certificate for %s has unexpected '
360 raise error.Abort(_('certificate for %s has unexpected '
346 'fingerprint %s') % (host, nicefingerprint),
361 'fingerprint %s') % (host, nicefingerprint),
347 hint=_('check hostfingerprint configuration'))
362 hint=_('check hostfingerprint configuration'))
348 ui.debug('%s certificate matched fingerprint %s\n' %
363 ui.debug('%s certificate matched fingerprint %s\n' %
349 (host, nicefingerprint))
364 (host, nicefingerprint))
350 return
365 return
351
366
352 # If insecure connections were explicitly requested via --insecure,
367 # If insecure connections were explicitly requested via --insecure,
353 # print a warning and do no verification.
368 # print a warning and do no verification.
354 #
369 #
355 # It may seem odd that this is checked *after* host fingerprint pinning.
370 # It may seem odd that this is checked *after* host fingerprint pinning.
356 # This is for backwards compatibility (for now). The message is also
371 # This is for backwards compatibility (for now). The message is also
357 # the same as below for BC.
372 # the same as below for BC.
358 if ui.insecureconnections:
373 if ui.insecureconnections:
359 ui.warn(_('warning: %s certificate with fingerprint %s not '
374 ui.warn(_('warning: %s certificate with fingerprint %s not '
360 'verified (check hostfingerprints or web.cacerts '
375 'verified (check hostfingerprints or web.cacerts '
361 'config setting)\n') %
376 'config setting)\n') %
362 (host, nicefingerprint))
377 (host, nicefingerprint))
363 return
378 return
364
379
365 if not sock._hgstate['caloaded']:
380 if not sock._hgstate['caloaded']:
366 if strict:
381 if strict:
367 raise error.Abort(_('%s certificate with fingerprint %s not '
382 raise error.Abort(_('%s certificate with fingerprint %s not '
368 'verified') % (host, nicefingerprint),
383 'verified') % (host, nicefingerprint),
369 hint=_('check hostfingerprints or '
384 hint=_('check hostfingerprints or '
370 'web.cacerts config setting'))
385 'web.cacerts config setting'))
371 else:
386 else:
372 ui.warn(_('warning: %s certificate with fingerprint %s '
387 ui.warn(_('warning: %s certificate with fingerprint %s '
373 'not verified (check hostfingerprints or '
388 'not verified (check hostfingerprints or '
374 'web.cacerts config setting)\n') %
389 'web.cacerts config setting)\n') %
375 (host, nicefingerprint))
390 (host, nicefingerprint))
376
391
377 return
392 return
378
393
379 msg = _verifycert(peercert2, host)
394 msg = _verifycert(peercert2, host)
380 if msg:
395 if msg:
381 raise error.Abort(_('%s certificate error: %s') % (host, msg),
396 raise error.Abort(_('%s certificate error: %s') % (host, msg),
382 hint=_('configure hostfingerprint %s or use '
397 hint=_('configure hostfingerprint %s or use '
383 '--insecure to connect insecurely') %
398 '--insecure to connect insecurely') %
384 nicefingerprint)
399 nicefingerprint)
Show file before | Show file after | Hide comments
@@ -1,414 +1,432
1 #require serve ssl
1 #require serve ssl
2
2
3 Proper https client requires the built-in ssl from Python 2.6.
3 Proper https client requires the built-in ssl from Python 2.6.
4
4
5 Certificates created with:
5 Certificates created with:
6 printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
6 printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
7 openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
7 openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
8 Can be dumped with:
8 Can be dumped with:
9 openssl x509 -in pub.pem -text
9 openssl x509 -in pub.pem -text
10
10
11 $ cat << EOT > priv.pem
11 $ cat << EOT > priv.pem
12 > -----BEGIN PRIVATE KEY-----
12 > -----BEGIN PRIVATE KEY-----
13 > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
13 > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
14 > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
14 > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
15 > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
15 > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
16 > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
16 > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
17 > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
17 > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
18 > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
18 > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
19 > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
19 > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
20 > HY8gUVkVRVs=
20 > HY8gUVkVRVs=
21 > -----END PRIVATE KEY-----
21 > -----END PRIVATE KEY-----
22 > EOT
22 > EOT
23
23
24 $ cat << EOT > pub.pem
24 $ cat << EOT > pub.pem
25 > -----BEGIN CERTIFICATE-----
25 > -----BEGIN CERTIFICATE-----
26 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
26 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
27 > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
27 > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
28 > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
28 > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
29 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
29 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
30 > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
30 > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
31 > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
31 > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
32 > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
32 > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
33 > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
33 > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
34 > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
34 > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
35 > -----END CERTIFICATE-----
35 > -----END CERTIFICATE-----
36 > EOT
36 > EOT
37 $ cat priv.pem pub.pem >> server.pem
37 $ cat priv.pem pub.pem >> server.pem
38 $ PRIV=`pwd`/server.pem
38 $ PRIV=`pwd`/server.pem
39
39
40 $ cat << EOT > pub-other.pem
40 $ cat << EOT > pub-other.pem
41 > -----BEGIN CERTIFICATE-----
41 > -----BEGIN CERTIFICATE-----
42 > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
42 > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
43 > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
43 > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
44 > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
44 > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
45 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
45 > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
46 > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
46 > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
47 > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
47 > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
48 > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
48 > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
49 > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
49 > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
50 > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
50 > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
51 > -----END CERTIFICATE-----
51 > -----END CERTIFICATE-----
52 > EOT
52 > EOT
53
53
54 pub.pem patched with other notBefore / notAfter:
54 pub.pem patched with other notBefore / notAfter:
55
55
56 $ cat << EOT > pub-not-yet.pem
56 $ cat << EOT > pub-not-yet.pem
57 > -----BEGIN CERTIFICATE-----
57 > -----BEGIN CERTIFICATE-----
58 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
58 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
59 > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
59 > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
60 > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
60 > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
61 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
61 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
62 > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
62 > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
63 > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
63 > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
64 > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
64 > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
65 > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
65 > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
66 > -----END CERTIFICATE-----
66 > -----END CERTIFICATE-----
67 > EOT
67 > EOT
68 $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
68 $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
69
69
70 $ cat << EOT > pub-expired.pem
70 $ cat << EOT > pub-expired.pem
71 > -----BEGIN CERTIFICATE-----
71 > -----BEGIN CERTIFICATE-----
72 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
72 > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
73 > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
73 > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
74 > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
74 > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
75 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
75 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
76 > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
76 > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
77 > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
77 > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
78 > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
78 > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
79 > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
79 > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
80 > -----END CERTIFICATE-----
80 > -----END CERTIFICATE-----
81 > EOT
81 > EOT
82 $ cat priv.pem pub-expired.pem > server-expired.pem
82 $ cat priv.pem pub-expired.pem > server-expired.pem
83
83
84 Client certificates created with:
84 Client certificates created with:
85 openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
85 openssl genrsa -aes128 -passout pass:1234 -out client-key.pem 512
86 openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
86 openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem
87 printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
87 printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
88 openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
88 openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
89 openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
89 openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
90 -set_serial 01 -out client-cert.pem
90 -set_serial 01 -out client-cert.pem
91
91
92 $ cat << EOT > client-key.pem
92 $ cat << EOT > client-key.pem
93 > -----BEGIN RSA PRIVATE KEY-----
93 > -----BEGIN RSA PRIVATE KEY-----
94 > Proc-Type: 4,ENCRYPTED
94 > Proc-Type: 4,ENCRYPTED
95 > DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8
95 > DEK-Info: AES-128-CBC,C8B8F103A61A336FB0716D1C0F8BB2E8
96 >
96 >
97 > JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF
97 > JolMlCFjEW3q3JJjO9z99NJWeJbFgF5DpUOkfSCxH56hxxtZb9x++rBvBZkxX1bF
98 > BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS
98 > BAIe+iI90+jdCLwxbILWuFcrJUaLC5WmO14XDKYVmr2eW9e4MiCYOlO0Q6a9rDFS
99 > jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7
99 > jctRCfvubOXFHbBGLH8uKEMpXEkP7Lc60FiIukqjuQEivJjrQirVtZCGwyk3qUi7
100 > Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2
100 > Eyh4Lo63IKGu8T1Bkmn2kaMvFhu7nC/CQLBjSq0YYI1tmCOkVb/3tPrz8oqgDJp2
101 > u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/
101 > u7bLS3q0xDNZ52nVrKIoZC/UlRXGlPyzPpa70/jPIdfCbkwDaBpRVXc+62Pj2n5/
102 > CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl
102 > CnO2xaKwfOG6pDvanBhFD72vuBOkAYlFZPiEku4sc2WlNggsSWCPCIFwzmiHjKIl
103 > bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=
103 > bWmdoTq3nb7sNfnBbV0OCa7fS1dFwCm4R1NC7ELENu0=
104 > -----END RSA PRIVATE KEY-----
104 > -----END RSA PRIVATE KEY-----
105 > EOT
105 > EOT
106
106
107 $ cat << EOT > client-key-decrypted.pem
107 $ cat << EOT > client-key-decrypted.pem
108 > -----BEGIN RSA PRIVATE KEY-----
108 > -----BEGIN RSA PRIVATE KEY-----
109 > MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb
109 > MIIBOgIBAAJBAJs4LS3glAYU92bg5kPgRPNW84ewB0fWJfAKccCp1ACHAdZPeaKb
110 > FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6
110 > FCinVMYKAVbVqBkyrZ/Tyr8aSfMz4xO4+KsCAwEAAQJAeKDr25+Q6jkZHEbkLRP6
111 > AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT
111 > AfMtR+Ixhk6TJT24sbZKIC2V8KuJTDEvUhLU0CAr1nH79bDqiSsecOiVCr2HHyfT
112 > AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop
112 > AQIhAM2C5rHbTs9R3PkywFEqq1gU3ztCnpiWglO7/cIkuGBhAiEAwVpMSAf77kop
113 > 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5
113 > 4h/1kWsgMALQTJNsXd4CEUK4BOxvJIsCIQCbarVAKBQvoT81jfX27AfscsxnKnh5
114 > +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01
114 > +MjSvkanvdFZwQIgbbcTefwt1LV4trtz2SR0i0nNcOZmo40Kl0jIquKO3qkCIH01
115 > mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY
115 > mJHzZr3+jQqeIFtr5P+Xqi30DJxgrnEobbJ0KFjY
116 > -----END RSA PRIVATE KEY-----
116 > -----END RSA PRIVATE KEY-----
117 > EOT
117 > EOT
118
118
119 $ cat << EOT > client-cert.pem
119 $ cat << EOT > client-cert.pem
120 > -----BEGIN CERTIFICATE-----
120 > -----BEGIN CERTIFICATE-----
121 > MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
121 > MIIBPjCB6QIBATANBgkqhkiG9w0BAQsFADAxMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
122 > GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z
122 > GzAZBgkqhkiG9w0BCQEWDGhnQGxvY2FsaG9zdDAeFw0xNTA1MDcwNjI5NDVaFw0z
123 > OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv
123 > OTEyMjcwNjI5NDVaMCQxIjAgBgkqhkiG9w0BCQEWE2hnLWNsaWVudEBsb2NhbGhv
124 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH
124 > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAmzgtLeCUBhT3ZuDmQ+BE81bzh7AH
125 > R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB
125 > R9Yl8ApxwKnUAIcB1k95opsUKKdUxgoBVtWoGTKtn9PKvxpJ8zPjE7j4qwIDAQAB
126 > MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/
126 > MA0GCSqGSIb3DQEBCwUAA0EAfBTqBG5pYhuGk+ZnyUufgS+d7Nk/sZAZjNdCAEj/
127 > NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==
127 > NFPo5fR1jM6jlEWoWbeg298+SkjV7tfO+2nt0otUFkdM6A==
128 > -----END CERTIFICATE-----
128 > -----END CERTIFICATE-----
129 > EOT
129 > EOT
130
130
131 $ hg init test
131 $ hg init test
132 $ cd test
132 $ cd test
133 $ echo foo>foo
133 $ echo foo>foo
134 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
134 $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
135 $ echo foo>foo.d/foo
135 $ echo foo>foo.d/foo
136 $ echo bar>foo.d/bAr.hg.d/BaR
136 $ echo bar>foo.d/bAr.hg.d/BaR
137 $ echo bar>foo.d/baR.d.hg/bAR
137 $ echo bar>foo.d/baR.d.hg/bAR
138 $ hg commit -A -m 1
138 $ hg commit -A -m 1
139 adding foo
139 adding foo
140 adding foo.d/bAr.hg.d/BaR
140 adding foo.d/bAr.hg.d/BaR
141 adding foo.d/baR.d.hg/bAR
141 adding foo.d/baR.d.hg/bAR
142 adding foo.d/foo
142 adding foo.d/foo
143 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
143 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
144 $ cat ../hg0.pid >> $DAEMON_PIDS
144 $ cat ../hg0.pid >> $DAEMON_PIDS
145
145
146 cacert not found
146 cacert not found
147
147
148 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
148 $ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
149 abort: could not find web.cacerts: no-such.pem
149 abort: could not find web.cacerts: no-such.pem
150 [255]
150 [255]
151
151
152 Test server address cannot be reused
152 Test server address cannot be reused
153
153
154 #if windows
154 #if windows
155 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
155 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
156 abort: cannot start server at ':$HGPORT':
156 abort: cannot start server at ':$HGPORT':
157 [255]
157 [255]
158 #else
158 #else
159 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
159 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
160 abort: cannot start server at ':$HGPORT': Address already in use
160 abort: cannot start server at ':$HGPORT': Address already in use
161 [255]
161 [255]
162 #endif
162 #endif
163 $ cd ..
163 $ cd ..
164
164
165 OS X has a dummy CA cert that enables use of the system CA store when using
165 OS X has a dummy CA cert that enables use of the system CA store when using
166 Apple's OpenSSL. This trick do not work with plain OpenSSL.
166 Apple's OpenSSL. This trick do not work with plain OpenSSL.
167
167
168 $ DISABLEOSXDUMMYCERT=
168 $ DISABLEOSXDUMMYCERT=
169 #if defaultcacerts
169 #if defaultcacerts
170 $ hg clone https://localhost:$HGPORT/ copy-pull
170 $ hg clone https://localhost:$HGPORT/ copy-pull
171 abort: error: *certificate verify failed* (glob)
171 abort: error: *certificate verify failed* (glob)
172 [255]
172 [255]
173
173
174 $ DISABLEOSXDUMMYCERT="--insecure"
174 $ DISABLEOSXDUMMYCERT="--insecure"
175 #endif
175 #endif
176
176
177 clone via pull
177 clone via pull
178
178
179 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
179 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
180 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
180 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
181 requesting all changes
181 requesting all changes
182 adding changesets
182 adding changesets
183 adding manifests
183 adding manifests
184 adding file changes
184 adding file changes
185 added 1 changesets with 4 changes to 4 files
185 added 1 changesets with 4 changes to 4 files
186 updating to branch default
186 updating to branch default
187 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
187 4 files updated, 0 files merged, 0 files removed, 0 files unresolved
188 $ hg verify -R copy-pull
188 $ hg verify -R copy-pull
189 checking changesets
189 checking changesets
190 checking manifests
190 checking manifests
191 crosschecking files in changesets and manifests
191 crosschecking files in changesets and manifests
192 checking files
192 checking files
193 4 files, 1 changesets, 4 total revisions
193 4 files, 1 changesets, 4 total revisions
194 $ cd test
194 $ cd test
195 $ echo bar > bar
195 $ echo bar > bar
196 $ hg commit -A -d '1 0' -m 2
196 $ hg commit -A -d '1 0' -m 2
197 adding bar
197 adding bar
198 $ cd ..
198 $ cd ..
199
199
200 pull without cacert
200 pull without cacert
201
201
202 $ cd copy-pull
202 $ cd copy-pull
203 $ echo '[hooks]' >> .hg/hgrc
203 $ echo '[hooks]' >> .hg/hgrc
204 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
204 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
205 $ hg pull $DISABLEOSXDUMMYCERT
205 $ hg pull $DISABLEOSXDUMMYCERT
206 pulling from https://localhost:$HGPORT/
206 pulling from https://localhost:$HGPORT/
207 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
207 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
208 searching for changes
208 searching for changes
209 adding changesets
209 adding changesets
210 adding manifests
210 adding manifests
211 adding file changes
211 adding file changes
212 added 1 changesets with 1 changes to 1 files
212 added 1 changesets with 1 changes to 1 files
213 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
213 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
214 (run 'hg update' to get a working copy)
214 (run 'hg update' to get a working copy)
215 $ cd ..
215 $ cd ..
216
216
217 cacert configured in local repo
217 cacert configured in local repo
218
218
219 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
219 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
220 $ echo "[web]" >> copy-pull/.hg/hgrc
220 $ echo "[web]" >> copy-pull/.hg/hgrc
221 $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
221 $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
222 $ hg -R copy-pull pull --traceback
222 $ hg -R copy-pull pull --traceback
223 pulling from https://localhost:$HGPORT/
223 pulling from https://localhost:$HGPORT/
224 searching for changes
224 searching for changes
225 no changes found
225 no changes found
226 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
226 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
227
227
228 cacert configured globally, also testing expansion of environment
228 cacert configured globally, also testing expansion of environment
229 variables in the filename
229 variables in the filename
230
230
231 $ echo "[web]" >> $HGRCPATH
231 $ echo "[web]" >> $HGRCPATH
232 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
232 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
233 $ P=`pwd` hg -R copy-pull pull
233 $ P=`pwd` hg -R copy-pull pull
234 pulling from https://localhost:$HGPORT/
234 pulling from https://localhost:$HGPORT/
235 searching for changes
235 searching for changes
236 no changes found
236 no changes found
237 $ P=`pwd` hg -R copy-pull pull --insecure
237 $ P=`pwd` hg -R copy-pull pull --insecure
238 pulling from https://localhost:$HGPORT/
238 pulling from https://localhost:$HGPORT/
239 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
239 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
240 searching for changes
240 searching for changes
241 no changes found
241 no changes found
242
242
243 cacert mismatch
243 cacert mismatch
244
244
245 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
245 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
246 pulling from https://127.0.0.1:$HGPORT/
246 pulling from https://127.0.0.1:$HGPORT/
247 abort: 127.0.0.1 certificate error: certificate is for localhost
247 abort: 127.0.0.1 certificate error: certificate is for localhost
248 (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
248 (configure hostfingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca or use --insecure to connect insecurely)
249 [255]
249 [255]
250 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
250 $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/ --insecure
251 pulling from https://127.0.0.1:$HGPORT/
251 pulling from https://127.0.0.1:$HGPORT/
252 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
252 warning: 127.0.0.1 certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
253 searching for changes
253 searching for changes
254 no changes found
254 no changes found
255 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
255 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
256 pulling from https://localhost:$HGPORT/
256 pulling from https://localhost:$HGPORT/
257 abort: error: *certificate verify failed* (glob)
257 abort: error: *certificate verify failed* (glob)
258 [255]
258 [255]
259 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
259 $ hg -R copy-pull pull --config web.cacerts=pub-other.pem --insecure
260 pulling from https://localhost:$HGPORT/
260 pulling from https://localhost:$HGPORT/
261 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
261 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
262 searching for changes
262 searching for changes
263 no changes found
263 no changes found
264
264
265 Test server cert which isn't valid yet
265 Test server cert which isn't valid yet
266
266
267 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
267 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
268 $ cat hg1.pid >> $DAEMON_PIDS
268 $ cat hg1.pid >> $DAEMON_PIDS
269 $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
269 $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
270 pulling from https://localhost:$HGPORT1/
270 pulling from https://localhost:$HGPORT1/
271 abort: error: *certificate verify failed* (glob)
271 abort: error: *certificate verify failed* (glob)
272 [255]
272 [255]
273
273
274 Test server cert which no longer is valid
274 Test server cert which no longer is valid
275
275
276 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
276 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
277 $ cat hg2.pid >> $DAEMON_PIDS
277 $ cat hg2.pid >> $DAEMON_PIDS
278 $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
278 $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
279 pulling from https://localhost:$HGPORT2/
279 pulling from https://localhost:$HGPORT2/
280 abort: error: *certificate verify failed* (glob)
280 abort: error: *certificate verify failed* (glob)
281 [255]
281 [255]
282
282
283 Fingerprints
283 Fingerprints
284
284
285 - works without cacerts
285 - works without cacerts (hostkeyfingerprints)
286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
286 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
287 5fed3813f7f5
287 5fed3813f7f5
288
288
289 - works without cacerts (hostsecurity)
290 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
291 5fed3813f7f5
292
293 $ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
294 5fed3813f7f5
295
289 - multiple fingerprints specified and first matches
296 - multiple fingerprints specified and first matches
290 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
297 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
291 5fed3813f7f5
298 5fed3813f7f5
292
299
300 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
301 5fed3813f7f5
302
293 - multiple fingerprints specified and last matches
303 - multiple fingerprints specified and last matches
294 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
304 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
295 5fed3813f7f5
305 5fed3813f7f5
296
306
307 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
308 5fed3813f7f5
309
297 - multiple fingerprints specified and none match
310 - multiple fingerprints specified and none match
298
311
299 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
312 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
300 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
313 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
301 (check hostfingerprint configuration)
314 (check hostfingerprint configuration)
302 [255]
315 [255]
303
316
317 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
318 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
319 (check hostfingerprint configuration)
320 [255]
321
304 - fails when cert doesn't match hostname (port is ignored)
322 - fails when cert doesn't match hostname (port is ignored)
305 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
323 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
306 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
324 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
307 (check hostfingerprint configuration)
325 (check hostfingerprint configuration)
308 [255]
326 [255]
309
327
310
328
311 - ignores that certificate doesn't match hostname
329 - ignores that certificate doesn't match hostname
312 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
330 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
313 5fed3813f7f5
331 5fed3813f7f5
314
332
315 HGPORT1 is reused below for tinyproxy tests. Kill that server.
333 HGPORT1 is reused below for tinyproxy tests. Kill that server.
316 $ killdaemons.py hg1.pid
334 $ killdaemons.py hg1.pid
317
335
318 Prepare for connecting through proxy
336 Prepare for connecting through proxy
319
337
320 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
338 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
321 $ while [ ! -f proxy.pid ]; do sleep 0; done
339 $ while [ ! -f proxy.pid ]; do sleep 0; done
322 $ cat proxy.pid >> $DAEMON_PIDS
340 $ cat proxy.pid >> $DAEMON_PIDS
323
341
324 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
342 $ echo "[http_proxy]" >> copy-pull/.hg/hgrc
325 $ echo "always=True" >> copy-pull/.hg/hgrc
343 $ echo "always=True" >> copy-pull/.hg/hgrc
326 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
344 $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
327 $ echo "localhost =" >> copy-pull/.hg/hgrc
345 $ echo "localhost =" >> copy-pull/.hg/hgrc
328
346
329 Test unvalidated https through proxy
347 Test unvalidated https through proxy
330
348
331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
349 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
332 pulling from https://localhost:$HGPORT/
350 pulling from https://localhost:$HGPORT/
333 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
351 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
334 searching for changes
352 searching for changes
335 no changes found
353 no changes found
336
354
337 Test https with cacert and fingerprint through proxy
355 Test https with cacert and fingerprint through proxy
338
356
339 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
357 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub.pem
340 pulling from https://localhost:$HGPORT/
358 pulling from https://localhost:$HGPORT/
341 searching for changes
359 searching for changes
342 no changes found
360 no changes found
343 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
361 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
344 pulling from https://127.0.0.1:$HGPORT/
362 pulling from https://127.0.0.1:$HGPORT/
345 searching for changes
363 searching for changes
346 no changes found
364 no changes found
347
365
348 Test https with cert problems through proxy
366 Test https with cert problems through proxy
349
367
350 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
368 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-other.pem
351 pulling from https://localhost:$HGPORT/
369 pulling from https://localhost:$HGPORT/
352 abort: error: *certificate verify failed* (glob)
370 abort: error: *certificate verify failed* (glob)
353 [255]
371 [255]
354 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
372 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
355 pulling from https://localhost:$HGPORT2/
373 pulling from https://localhost:$HGPORT2/
356 abort: error: *certificate verify failed* (glob)
374 abort: error: *certificate verify failed* (glob)
357 [255]
375 [255]
358
376
359
377
360 $ killdaemons.py hg0.pid
378 $ killdaemons.py hg0.pid
361
379
362 #if sslcontext
380 #if sslcontext
363
381
364 Start patched hgweb that requires client certificates:
382 Start patched hgweb that requires client certificates:
365
383
366 $ cat << EOT > reqclientcert.py
384 $ cat << EOT > reqclientcert.py
367 > import ssl
385 > import ssl
368 > from mercurial.hgweb import server
386 > from mercurial.hgweb import server
369 > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
387 > class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
370 > @staticmethod
388 > @staticmethod
371 > def preparehttpserver(httpserver, ssl_cert):
389 > def preparehttpserver(httpserver, ssl_cert):
372 > sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
390 > sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
373 > sslcontext.verify_mode = ssl.CERT_REQUIRED
391 > sslcontext.verify_mode = ssl.CERT_REQUIRED
374 > sslcontext.load_cert_chain(ssl_cert)
392 > sslcontext.load_cert_chain(ssl_cert)
375 > # verify clients by server certificate
393 > # verify clients by server certificate
376 > sslcontext.load_verify_locations(ssl_cert)
394 > sslcontext.load_verify_locations(ssl_cert)
377 > httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
395 > httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
378 > server_side=True)
396 > server_side=True)
379 > server._httprequesthandlerssl = _httprequesthandlersslclientcert
397 > server._httprequesthandlerssl = _httprequesthandlersslclientcert
380 > EOT
398 > EOT
381 $ cd test
399 $ cd test
382 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
400 $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
383 > --config extensions.reqclientcert=../reqclientcert.py
401 > --config extensions.reqclientcert=../reqclientcert.py
384 $ cat ../hg0.pid >> $DAEMON_PIDS
402 $ cat ../hg0.pid >> $DAEMON_PIDS
385 $ cd ..
403 $ cd ..
386
404
387 without client certificate:
405 without client certificate:
388
406
389 $ P=`pwd` hg id https://localhost:$HGPORT/
407 $ P=`pwd` hg id https://localhost:$HGPORT/
390 abort: error: *handshake failure* (glob)
408 abort: error: *handshake failure* (glob)
391 [255]
409 [255]
392
410
393 with client certificate:
411 with client certificate:
394
412
395 $ cat << EOT >> $HGRCPATH
413 $ cat << EOT >> $HGRCPATH
396 > [auth]
414 > [auth]
397 > l.prefix = localhost
415 > l.prefix = localhost
398 > l.cert = client-cert.pem
416 > l.cert = client-cert.pem
399 > l.key = client-key.pem
417 > l.key = client-key.pem
400 > EOT
418 > EOT
401
419
402 $ P=`pwd` hg id https://localhost:$HGPORT/ \
420 $ P=`pwd` hg id https://localhost:$HGPORT/ \
403 > --config auth.l.key=client-key-decrypted.pem
421 > --config auth.l.key=client-key-decrypted.pem
404 5fed3813f7f5
422 5fed3813f7f5
405
423
406 $ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \
424 $ printf '1234\n' | env P=`pwd` hg id https://localhost:$HGPORT/ \
407 > --config ui.interactive=True --config ui.nontty=True
425 > --config ui.interactive=True --config ui.nontty=True
408 passphrase for client-key.pem: 5fed3813f7f5
426 passphrase for client-key.pem: 5fed3813f7f5
409
427
410 $ env P=`pwd` hg id https://localhost:$HGPORT/
428 $ env P=`pwd` hg id https://localhost:$HGPORT/
411 abort: error: * (glob)
429 abort: error: * (glob)
412 [255]
430 [255]
413
431
414 #endif
432 #endif
General Comments 0
You need to be logged in to leave comments. Login now