diff options
-rw-r--r-- | doc/guix.texi | 8 | ||||
-rw-r--r-- | guix/scripts/pull.scm | 16 |
2 files changed, 21 insertions, 3 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 31deb5b003..da4d2f5ebc 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4643,6 +4643,14 @@ Make sure you understand its security implications before using @option{--disable-authentication}. @end quotation +@item --no-check-certificate +Do not validate the X.509 certificates of HTTPS servers. + +When using this option, you have @emph{absolutely no guarantee} that you +are communicating with the authentic server responsible for the given +URL. Unless the channel is authenticated, this makes you vulnerable to +``man-in-the-middle'' attacks. + @item --system=@var{system} @itemx -s @var{system} Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index 58d3cd7e83..76aed0b5cc 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013-2015, 2017-2023 Ludovic Courtès <[email protected]> +;;; Copyright © 2013-2015, 2017-2024 Ludovic Courtès <[email protected]> ;;; Copyright © 2017 Marius Bakke <[email protected]> ;;; Copyright © 2020, 2021 Tobias Geerinckx-Rice <[email protected]> ;;; @@ -77,6 +77,7 @@ (debug . 0) (verbosity . 1) (authenticate-channels? . #t) + (verify-certificate? . #t) (validate-pull . ,ensure-forward-channel-update))) (define (show-help) @@ -99,6 +100,9 @@ Download and deploy the latest version of Guix.\n")) --disable-authentication disable channel authentication")) (display (G_ " + --no-check-certificate + do not validate the certificate of HTTPS servers")) + (display (G_ " -N, --news display news compared to the previous generation")) (display (G_ " -l, --list-generations[=PATTERN] @@ -183,6 +187,9 @@ Download and deploy the latest version of Guix.\n")) (option '("disable-authentication") #f #f (lambda (opt name arg result) (alist-cons 'authenticate-channels? #f result))) + (option '("no-check-certificate") #f #f + (lambda (opt name arg result) + (alist-cons 'verify-certificate? #f result))) (option '(#\p "profile") #t #f (lambda (opt name arg result) (alist-cons 'profile (canonicalize-profile arg) @@ -845,7 +852,8 @@ Use '~/.config/guix/channels.scm' instead.")) (profile (or (assoc-ref opts 'profile) %current-profile)) (current-channels (profile-channels profile)) (validate-pull (assoc-ref opts 'validate-pull)) - (authenticate? (assoc-ref opts 'authenticate-channels?))) + (authenticate? (assoc-ref opts 'authenticate-channels?)) + (verify-certificate? (assoc-ref opts 'verify-certificate?))) (cond ((assoc-ref opts 'query) (process-query opts profile)) @@ -877,7 +885,9 @@ Use '~/.config/guix/channels.scm' instead.")) #:validate-pull validate-pull #:authenticate? - authenticate?))) + authenticate? + #:verify-certificate? + verify-certificate?))) (format (current-error-port) (N_ "Building from this channel:~%" "Building from these channels:~%" |