New source install problem with certs

[Rainer Müller]

On 2012-03-02 17:25 , Joshua Root wrote:
> Unfortunately this doesn't help /usr/bin/svn. I would say this is
> actually a bug/limitation in Apple's svn (or perhaps their OpenSSL) on
> Lion. I can reproduce the issue on 10.7 but not 10.6.

You are right, I can reproduce the problem with /usr/bin/svn.

Maybe this has something to do with the setting ssl-trust-default-ca in
the subversion/servers config? I am not entirely sure if openssl is
aware of any CAs as they are stored in the system keychain only.

Here are some ideas:

a) We could ship a configuration file in
/opt/local/var/macports/home/.subversion/servers which adds the required
certificate chain to the known trusted CAs.

  ssl-authority-files = /opt/local/share/macports/macports-svnkey.pem

b) We create a directory
${prefix}/opt/local/var/macports/home/.subversion/auth/ and allow the
macports user to write there. Then one could accept this certificate
permanently with something like this:

  sudo -u macports /usr/bin/svn ls \
	https://svn.macosforge.org/repository/macports/trunk/dports

Then answer 'p' (permanently) to the question. Note that this will not
be stored in the home directory unless we give the macports user write
permissions.

>From these two options, with a) this would work out of the box and
automatically recognize this certificate. We would need to issue a new
MacPorts release for every certificate update. However, the current
certificate expires in 2014-05-31, so it's rather a question to think
about this on time than a real management issue.

With option b), some more work is required. I doubt anyone would
actually verify the fingerprint, so it does not add any security either.

> We probably masked the problem previously because it used the config in
> the user's home dir, thus picking up that they had previously chosen to
> trust the server's cert.

Yes, I assume that's it exactly.

Rainer