For the UpdateChecker plugin we need the Let's Encrypt intermediate certificate to properly validate TLS certificates when querying geany.org for version check.
Slightly related to #761. You can view, comment on, or merge this pull request online at:
https://github.com/geany/geany-plugins/pull/768
-- Commit Summary --
* Windows installer: Distribute Let's Encrypt intermediate certificate
-- File Changes --
M build/geany-plugins.nsi (4) M build/gtk-bundle-from-msys2.sh (14)
-- Patch Links --
https://github.com/geany/geany-plugins/pull/768.patch https://github.com/geany/geany-plugins/pull/768.diff
- Tested on Windows - without the certificate bundle ("bundle" here is only one of the intermediate certificates of Let's Encrypt) there is an error message like the one reported in #761 - with the certificate bundle the version check performs successfully
Still I'm not completely sure if it is a good idea to distribute the certificate or whether this should rather be done by the user and/or OS and we just rely on that.
@eht16 pushed 1 commit.
715ed5f Merge branch 'master' into issue761_windows_ship_letsencrypt_certificate
Just updated the PR: instead of explicitly bundling the Let's Encrypt intermediate certificate, just install the general `ca-certificates` bundle using the MSYS2 sources. So we get more of the common root CAs and this might help more plugins in the future. The verification of geany.org's LE certificate still works fine.
I don't really like the idea that we're installing certificates that aren't even ours, but I guess that if we really have to installing the ones form MSYS is probably simpler and safer indeed.
Installing "our" certificates is not an option with Let's Encrypt as those certificates expire after three months or we switch to a very short release cycle :). Or we just disable certificate verification in the UpdateChecker plugin :).
More seriously, I got your point. Ideally, Windows would provide the necessary CA certificates or `libsoup` would be able to access them (I'm not completely sure what's the real culprit here). But since isn't the case, I think re-distributing the available set of CA certificates bundled by MSYS and updating them with our releases, should be a good compromise.
Merged #768 into master.
github-comments@lists.geany.org