Hi Chris, Chris Marusich <[email protected]> skribis:
> Ludovic Courtès <[email protected]> writes: > >> Julien Lepiller <[email protected]> skribis: >> >>> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y >>> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac >>> hash mismatch for store item >>> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build >> >> I believe you’d be fine if substitutes were enabled, but they’re not. >> >> In the meantime, you can fetch those files with something like: >> >> wget -O /tmp/isrgrootx1.pem \ >> >> http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y >> guix download file:///tmp/isrgrootx1.pem >> >> But yeah, like Tobias writes, it’s a bit of a problem. Should we mirror >> them somewhere? Does Let’s Encrypt have them under a versioned URL >> elsewhere? > > What is Guix using these files for? I realize it's got something to do > with TLS, but it isn't clear to me why Guix downloads these certs. This is used by (guix scripts pull) so we can always authenticate git.savannah.gnu.org when we fetch from the Git repo. It’s used if and only if certificates aren’t available system-wide (see ‘honor-x509-certificates’.) Ludo’.
