This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository buildscripts. commit 074779564c4b95a6abd4ae96d3fc138f4e448490 Author: Mihai Moldovan <ionic@ionic.de> Date: Sat Jun 10 23:51:28 2017 +0200 bin/slave-start-prepare.sh: switch from wget to cURL. It doesn't seem to be (easily) possible to disable certain certificate checks, but still enforce the pinned pubkey hash check with wget. This means that we either have to - provide the pubkey hash - provide the CA certificate (which is pretty darn difficult when using self-signed certificates) - make sure that the parameters match what is recorded in the certificate (like the hostname) or - disable all checks, including the pubkey hash check. ... or find an alternative, like cURL, which allows us to bypass these checks but still employs the pubkey hash check. So switch to cURL. --- bin/slave-start-prepare.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/bin/slave-start-prepare.sh b/bin/slave-start-prepare.sh index b9add7d..4829069 100755 --- a/bin/slave-start-prepare.sh +++ b/bin/slave-start-prepare.sh @@ -31,6 +31,12 @@ fi rm -f -- "slave.jar" -wget -NS --pinnedpubkey="${ssl_hash}" "https://${host}/jnlpJars/slave.jar" +# Even though we pin the certificate's public key, the --insecure option +# is needed since our certificate (currently) is self-signed, which leads to +# curl rejecting the certificate. +# This is okay, since curl still checks for the pubkey hash and aborts the +# connection if the server's pubkey hash doesn't match the pinned one, even +# when calling it with the --insecure parameter. +curl -R --pinnedpubkey "${ssl_hash}" --insecure "https://${host}/jnlpJars/slave.jar" java -jar "slave.jar" -- Alioth's /srv/git/code.x2go.org/buildscripts.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/buildscripts.git