[Github-comments] [geany/geany-plugins] geniuspaste plugin missing TLS certificate verification (#1078)

[Enrico Tröger]

> > On Linux there's usually a central cert-db, but not sure there's such on Windows.
> 
> I'm pretty sure that's not true.

Or it just depends on how you define "central cert-db". Usually there is a system wide certificate store with common public root certificates and this store is installed by a package called "ca-certificates" (or similar, depending on the distribution, e.g. https://packages.debian.org/buster/ca-certificates).
In short, there is no such thing as an automagically always available store of certificates on Linux. It still must be installed and in the users' responsibility.

> > What's the recommended way to handle TLS validation on Windows?
> 
> The recommended way is to do nothing. Just use the default GTlsDatabase. [That's implemented here](https://gitlab.gnome.org/GNOME/glib-networking/-/blob/master/tls/gnutls/gtlsdatabase-gnutls.c) and it just uses GnuTLS's default trust store. Presumably that should work as expected on Windows.

This is what I would doubt. Do you have any reference on this? The pasted link is just the code but I could not find any hint about included certificates. So I would assume "glib-networking" needs external certificate resources as well (which is totally fine IMO).

Anyway, for the Windows part: we ship the certificates from the "ca-certificates" package in the G-P Windows installer, for the UpdateChecker plugin but can be used here as well https://github.com/geany/geany-plugins/commit/60116231db908cbf3666d1df114f5859a63592e3

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany-plugins/issues/1078#issuecomment-861860312
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.geany.org/pipermail/github-comments/attachments/20210615/e476b6c8/attachment.htm>