How can I force mercurial in .hgrc to check the SHA256 fingerprint when connecting to the repository server?
In .hgrc usually SHA1 fingerprints are used as
[hostfingerprints]
foo.bar.baz = a1:b2:c3:d4:e5:f6:11:22:33:44:55:66:77:88:99:00:f9:r8:d7:c6
Using a SHA256 fingerprint would cause hg to fail to connect:
abort: certificate for foo.bar.baz has unexpected fingerprint 00:11:22:33:44:55:66:77:88:99:0a:0b:0c:0d:0e:0f:a1:b1:c1:d1
(check hostfingerprint configuration)
Does mercurial always expect a SHA1 here or this be done by with the client configuration at all or does this have to be set on the server side?
e.g. openssl has -sha1 and -sha256 options.
Does mercurial always expect a SHA1 here
Yes. Just re-read actual for today description of hostfingerprints section in hgrc (bolding is my addition)
The fingerprint is the SHA-1 hash value of the DER encoded certificate.
Related
Trying to push to a Kiln repo. There are definitely changes, lots of them, hg status lists 238 files changed. There is a warning that the certificate with fingerprint blah blah is not verified -- though if it's just a warning why would it interfere with the push?
Full output:
pushing to https://mydomain/Code/Repositories/Group/myrepo
warning: mydomain certificate with fingerprint fe:ab:65:89:7c:6f:1a:21:a8:39:54:6c:2a:cb:ca:ae:e9:e5:f0:01 not verified (check hostfingerprints or web.cacerts config setting)
warning: developers.kilnhg.com certificate with fingerprint fe:ab:65:89:7c:6f:1a:21:a8:39:54:6c:2a:cb:ca:ae:e9:e5:f0:01 not verified (check hostfingerprints or web.cacerts config setting)
searching for changes
searching for changes
no changes found
Googling this has turned up nothing.
You need to commit your changes to the local repository before you can push the resulting changeset to a remote repository. Use the command hg commit to do so.
My project's .hg directory is 40MB. If I hg push --verbose --debug to an empty remote repository I see it sending hundreds of MBs. Where is the extra overhead coming from?
UPDATE: hg bundle -a generates a 35MB file. Here is a stripped-down version of the output I'm seeing:
pushing to https://jace.googlecode.com/hg/
using https://jace.googlecode.com/hg/
sending between command
using auth.default.* for authentication
jace.googlecode.com certificate successfully verified
sending capabilities command
using auth.default.* for authentication
capabilities: branchmap lookup unbundle=HG10UN,HG10UGZ,HG10BZ changegroupsubset
sending heads command
using auth.default.* for authentication
searching for changes
common changesets up to 71818a195bf5
sending branchmap command
[...]
bundling: <filenames>
sending unbundle command
sending xxx bytes
[...]
sending: xxx/xxx kb
This is a known python bug. Because of the way the python http library work, it first sends the data, the server replies that it needs an auth, and it resends the data.
With a recent mercurial (starting at 1.9) you can use an alternative http library. Just add the following in hgrc:
[ui]
usehttp2 = true
It could be that the repository you're pushing to doesn't support compressed transfer. What protocol are you using? If it's http, I recommend you watch the first requests to the remote repository (one of them is about determining the capabilities the remote repo offers).
If you're using a file URL for pushing, there's probably not much you can do about it.
I have encountered this error when trying to push a subrepository to bitbucket:
D:\Work\agile.crm.framework>hg push
warning: bitbucket.org certificate with fingerprint 81:2b:08:90:dc:d3:71:ee:e0:7
c:b4:75:ce:9b:6c:48:94:56:a1:fe not verified (check hostfingerprints or web.cace
rts config setting)
http authorization required
realm: Bitbucket.org HTTP
user: the_drow
password:
warning: bitbucket.org certificate with fingerprint 81:2b:08:90:dc:d3:71:ee:e0:7
c:b4:75:ce:9b:6c:48:94:56:a1:fe not verified (check hostfingerprints or web.cace
rts config setting)
pushing to https://the_drow#bitbucket.org/the_drow/agile.crm.framework
pushing subrepo Logging to https://the_drow#bitbucket.org/the_drow/agile.crm.fra
mework/Logging
warning: bitbucket.org certificate with fingerprint 81:2b:08:90:dc:d3:71:ee:e0:7
c:b4:75:ce:9b:6c:48:94:56:a1:fe not verified (check hostfingerprints or web.cace
rts config setting)
abort: HTTP Error 404: NOT FOUND
I have encountered this link that describes how to solve the problem but I don't understand what to do.
Should I place my Logging subrepository in D:\Work\?
What exactly should I do with the mercurial subpaths? Will this enable me to clone locally?
EDIT:
As requested, here are the contents of my .hgsub file
Logging = Logging
As noted in the link that you posted, "You have to make the subrepositories as siblings of the main repository."
So on BitBucket, you need the following structure:
https://bitbucket.org/the_drow/agile.crm.framework
https://bitbucket.org/the_drow/Logging
Then your .hgsub inside agile.crm.framework needs to contain the following:
Logging = ../Logging
I'm going to bump an old question because I think I have a better solution. I understand why #the_drow has issues with the original accepted answer since with Logging = ../Logging your local machine has to have the Logging subrepo as a peer with the containing/master repo. This kind of defeats the purpose of subrepos from an organization point of view. However, if you use the subpaths feature, you can get Mercurial to rewrite the URI for you on push:
external/my_subrepo = external/my_subrepo
[subpaths]
([https://|ssh://hg#])bitbucket\.org/moswald/my_project/external/my_subrepo = \1bitbucket.org/moswald/my_subrepo
Now my local copy of the my_subrepo sub repository is stored inside my_project as expected, but when I push to Bitbucket, it's rerouted to the real thing. In fact, you can use that rewriting feature to point pretty much anywhere since Mercurial understands Git and SVN. I've got more than a few Bitbucket repositories that have subrepos by other authors who use Github.
I need to download the source code from the Mercurial.
$ hg clone xmppframework.googlecode.com/hg xmppframework
warning: xmppframework.googlecode.com certificate with fingerprint b1:af:83:76:f3:81:b0:57:70:d8:07:42:c8:c1:b3:67:38:c8:7a:bc not verified (check hostfingerprints or web.cacerts config setting)
requesting all changes
adding changesets
adding manifests
adding file changes
I tried it in terminal by using this link to download the source code.But the command is failed.
Anyone can help me to get rid of this.
Thanks to all,
Madan.
The problem is, that you didn't added the fingerprint of google to your hgrc file.
There are two ways to solve the problem:
Use http instead of https, the disadvantage would be, that your traffic isn't encrypted anymore.
hg clone http://xmppframework.googlecode.com/hg/ xmppframework
Or add the fingerprint to you hgrc file:
Please note that Google Code is changing the fingerprint sometimes. When the fingerprint below doesn't work, you can use this command (taken from this question) to detect the current fingerprint:
$ openssl s_client -connect xmppframework.googlecode.com:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
[hostfingerprints]
xmppframework.googlecode.com = b1:af:83:76:f3:81:b0:57:70:d8:07:42:c8:c1:b3:67:38:c8:7a:bc
Edited because original answer was ugly.
It's not a SVN link, it's Mercurial link, so you can't use svn tool. You need Mercurial for this.
Windows XP, Mercurial 1.6.4
hg clone https://demas#bitbucket.org/demas/start.here
destination directory: start.here
requesting all changes
abort: error:
But if I use SSH all works fine
hg clone ssh://hg#bitbucket.org/demas/start.here
Debug info:
hg clone --debug https://demas#bitbucket.org/demas/start.here
using https://bitbucket.org/demas/start.here
http auth: user demas, password not set
sending between command
destination directory: start.here
sending heads command
requesting all changes
sending changegroup command
abort: error:
Why? And how I fix it?
Use a custom configuration to workaround the handling of self-signed certificates:
Note that per the default settings installed, connect to repositories with self-signed certificates fail with 1.7.3. You need to adjust the default configuration for that case.
References
CA Certificates in hg on Windows
hg import from a https URL fails