45

I'm looking for a way to make --insecure option the default one for any hg \ TortoiseHg command.

Please don't write this is a bad practice - I aware about possible risks and consider they're fully acceptable.

Alex Yakunin
  • 6,330
  • 3
  • 33
  • 52

4 Answers4

34

If your goal is to eliminate certificate fingerprint warnings during push/pull, there's a better way to do this. Use the [hostfingerprints] in .hg/hgrc (or ~/.hgrc -- see comments).

[hostfingerprints]
server.example.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc

This will eliminate the warnings without eliminating the security checks.

Note: I see from your comments to another answer that you've already found this solution. I'm posting this anyway in case someone else has the same problem.

Bruce Alderman
  • 2,284
  • 2
  • 27
  • 38
  • 1
    Thanks for posting this. It's exactly what I needed. – Cypher Jul 31 '13 at 19:13
  • 2
    There is a nice question about getting server fingerprints using bash: http://stackoverflow.com/a/5165073/1760643 Here the command: `openssl s_client -connect : < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin` – d9k Sep 19 '14 at 01:12
  • 1
    Mine had to go in ~/.hgrc – jeremyjjbrown Dec 17 '14 at 17:42
27

Setting cacerts in the [web] section to the empty string looks to be the same thing. From the source:

if cmdoptions.get('insecure', False):
    ui.setconfig('web', 'cacerts', '!', '--insecure')

which the wiki confirms:

Sometimes it may be expedient to disable security checks, for instance when dealing with hosts with self-signed certificates. This can be done by disabling the CA certificate configuration on the command line:

hg push --config web.cacerts= https://self-signed-host/repo

So putting cacerts=! in the [web] section of your global hgrc (/etc/mercurial/hgrc on linux-likes) will get you there.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Ry4an Brase
  • 78,112
  • 7
  • 148
  • 169
  • This approach really works - thanks a lot! The only issue is that Hg prints `"warning: something.com certificate with fingerprint 81:....:fe not verified (check hostfingerprints or web.c acerts config setting)"` several times during `hg pull` and `hg push`. – Alex Yakunin Mar 22 '11 at 06:31
  • 5
    So I finally decided to use an approach with `[hostfingerprints]` section. – Alex Yakunin Mar 22 '11 at 06:33
  • 1
    What's more good with [hostfingerprinst] is that you can place them in repository hgrc instead of root one, so this change will not affect all the rest repositories. – Andriy K Apr 09 '12 at 10:48
  • @AndriyK any setting can go in the repo's `.hg/hgrc` file. No settings are limited to specific locations in the various possible hgrc locations. – Ry4an Brase Apr 09 '12 at 13:17
  • 2
    In my particular case `[web] caserts=` wasn't working on the repository level. May be I did something wrong. – Andriy K Apr 09 '12 at 17:12
  • You how have to web.cacerts=! – Tom Feb 25 '17 at 08:27
  • 1
    In Mercurial >= 3.9 web.cacerts=! option has been removed. https://www.mercurial-scm.org/wiki/SecureConnections – Tom Mar 13 '19 at 15:10
  • Note to future self : (should have added this last time) - solved the problem on android + iOS by shipping the python module "certifi" – Tom Jan 22 '20 at 20:55
18

You can use aliases to achieve that. Add this to your .hgrc :

[alias]
push = push --insecure

Problem is you wil have to do this for each command you want to use and I suggest you use different names for your aliases than the default one.

As far as I know, there's no way to enforce --insecure for all commands "automatically".

krtek
  • 26,334
  • 5
  • 56
  • 84
  • This works even when Mercurial is called internally (without the parameter) - from IntelliJ IDEA. – Dimitar II Jan 12 '17 at 06:13
  • As you quietly point out, if you're going to use `alias`, you should likely use something more like `ipush = push --insecure` so it's not confused with the standard command (ie. make the user understand what's happening, don't "trick" the command to do "the wrong thing" by-default). – RVT Dec 15 '21 at 03:37
2

Background

As pointed out in Bruce Alderman's answer, a good alternative to using the --insecure option is to simply add the host fingerprints to the ~/.hgrc file. (It's presumably forbidden to add them to .hg/hgrc due to security risks.) The [hostfingerprints] section however has been deprecated.

New instructions

Add the following to ~/.hgrc:

[hostsecurity]
<host>:fingerprints=sha256:<hash>

where <host> should be substituted with the hostname (without the https:// prefix), and <hash> should be substituted with the SHA-256 fingerprint (32 bytes, written as :-separated hexadecimal). The output of the following SHA-256 fingerprint command

openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin

after substituting <host> and <port> is of the form

SHA256 Fingerprint=<hash>

For example, for a self-signed certificate running from the local machine, one might have an entry in ~/.hgrc which looks like

[hostsecurity]
localhost:fingerprints=sha256:DD:30:5A:9B:2C:E1:59:7E:46:C4:42:D3:41:34:03:17:2A:CF:50:E8:DF:78:E6:2E:C9:42:D9:9A:C9:58:AC:52

There is further documentation on Mercurial's page about secure connections.

Ben Mares
  • 1,764
  • 1
  • 15
  • 26