23 Feb
2023
23 Feb
'23
12:48 p.m.
On Thu, Feb 23, 2023 at 11:40:21AM +0100, Hécate wrote:
And I of course forgot the most relevant part for you: https://www.haskell.org/ghcup/guide/#certificate-authority-errors-curl
Why not publish the relevant issuer certificate chain, it could even be curated and regularly updated as ghcup "updates". The curl executable has a "--cacert" option allowing the specification of an alternative trust anchor (root CA if you prefer) and any missing intermediate certificates. It also supports a "CURL_CA_BUNDLE" environment variable, if that's simpler. An explicit (securely obtained) trust anchor is safer than ignoring download source authentication. -- Viktor.