file(DOWNLOAD|UPLOAD): Add CMAKE_TLS_VERIFY environment variable

Issue: #23608

7 files changed, 46 insertions, 3 deletions

diff --git a/Help/envvar/CMAKE_TLS_VERIFY.rst b/Help/envvar/CMAKE_TLS_VERIFY.rst
new file mode 100644
index 0000000..a0ed323
--- /dev/null
+++ b/Help/envvar/CMAKE_TLS_VERIFY.rst
@@ -0,0 +1,11 @@
+CMAKE_TLS_VERIFY
+----------------
+
+.. versionadded:: 3.30
+
+.. include:: ENV_VAR.txt
+
+Specify the default value for the :command:`file(DOWNLOAD)` and
+:command:`file(UPLOAD)` commands' ``TLS_VERIFY`` option.
+This environment variable is used if the option is not given
+and the :variable:`CMAKE_TLS_VERIFY` cmake variable is not set.
diff --git a/Help/manual/cmake-env-variables.7.rst b/Help/manual/cmake-env-variables.7.rst
index 5273194..e693e4c 100644
--- a/Help/manual/cmake-env-variables.7.rst
+++ b/Help/manual/cmake-env-variables.7.rst
@@ -27,6 +27,7 @@ Environment Variables that Change Behavior
    /envvar/CMAKE_MAXIMUM_RECURSION_DEPTH
    /envvar/CMAKE_PREFIX_PATH
    /envvar/CMAKE_PROGRAM_PATH
+   /envvar/CMAKE_TLS_VERIFY
    /envvar/CMAKE_TLS_VERSION
    /envvar/SSL_CERT_DIR
    /envvar/SSL_CERT_FILE
diff --git a/Help/release/dev/curl-tls-version.rst b/Help/release/dev/curl-tls-version.rst
index 636fa3c..26d03ad 100644
--- a/Help/release/dev/curl-tls-version.rst
+++ b/Help/release/dev/curl-tls-version.rst
@@ -10,6 +10,10 @@ curl-tls-version
   for connections to ``https://`` URLs by the :command:`file(DOWNLOAD)`
   and :command:`file(UPLOAD)` commands.
 
+* The :envvar:`CMAKE_TLS_VERIFY` environment variable was added as a fallback
+  to the existing :variable:`CMAKE_TLS_VERIFY` variable.  It specifies
+  whether to verify the server certificate for ``https://`` URLs by default.
+
 * The :module:`ExternalProject` module's :command:`ExternalProject_Add`
   command gained a ``TLS_VERSION <min>`` option, and support for the
   :variable:`CMAKE_TLS_VERSION` variable and :envvar:`CMAKE_TLS_VERSION`
diff --git a/Help/variable/CMAKE_TLS_VERIFY.rst b/Help/variable/CMAKE_TLS_VERIFY.rst
index b22f1ce..5871ac7 100644
--- a/Help/variable/CMAKE_TLS_VERIFY.rst
+++ b/Help/variable/CMAKE_TLS_VERIFY.rst
@@ -3,7 +3,9 @@ CMAKE_TLS_VERIFY
 
 Specify the default value for the :command:`file(DOWNLOAD)` and
 :command:`file(UPLOAD)` commands' ``TLS_VERIFY`` options.
-If not set, the default is *off*.
+If this variable is not set, the commands check the
+:envvar:`CMAKE_TLS_VERIFY` environment variable.
+If neither is set, the default is *off*.
 
 This variable is also used by the :module:`ExternalProject` and
 :module:`FetchContent` modules for internal calls to :command:`file(DOWNLOAD)`.
diff --git a/Source/cmFileCommand.cxx b/Source/cmFileCommand.cxx
index ac1d22b..0369051 100644
--- a/Source/cmFileCommand.cxx
+++ b/Source/cmFileCommand.cxx
@@ -2036,6 +2036,12 @@ bool HandleDownloadCommand(std::vector<std::string> const& args,
       tls_verify = v.IsOn();
     }
   }
+  if (!tls_verify) {
+    if (cm::optional<std::string> v =
+          cmSystemTools::GetEnvVar("CMAKE_TLS_VERIFY")) {
+      tls_verify = cmIsOn(*v);
+    }
+  }
 
   if (!tls_version) {
     if (cmValue v = status.GetMakefile().GetDefinition("CMAKE_TLS_VERSION")) {
@@ -2439,6 +2445,12 @@ bool HandleUploadCommand(std::vector<std::string> const& args,
       tls_verify = v.IsOn();
     }
   }
+  if (!tls_verify) {
+    if (cm::optional<std::string> v =
+          cmSystemTools::GetEnvVar("CMAKE_TLS_VERIFY")) {
+      tls_verify = cmIsOn(*v);
+    }
+  }
 
   if (!tls_version) {
     if (cmValue v = status.GetMakefile().GetDefinition("CMAKE_TLS_VERSION")) {
diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt b/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt
index 72ab8f4..fbff3b9 100644
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad-stdout.txt
@@ -1,4 +1,6 @@
 -- def-0: 0;"No error"
+-- env-0: 0;"No error"
+-- env-1: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- var-0: 0;"No error"
 -- var-1: (60;"SSL peer certificate or SSH remote key was not OK"|35;"SSL connect error")
 -- opt-0: 0;"No error"
diff --git a/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake b/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake
index ed19bd6..a90c2f4 100644
--- a/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake
+++ b/Tests/RunCMake/file-DOWNLOAD/TLS_VERIFY-bad.cmake
@@ -7,17 +7,28 @@ function(download case)
 endfunction()
 
 # The default is OFF.
+unset(ENV{CMAKE_TLS_VERIFY})
 unset(CMAKE_TLS_VERIFY)
 download(def-0)
 
-# The cmake variable overrides the default.
+# The environment variable overrides the default.
+set(ENV{CMAKE_TLS_VERIFY} 0)
+download(env-0)
+set(ENV{CMAKE_TLS_VERIFY} 1)
+download(env-1)
+
+# The cmake variable overrides the environment variable.
+set(ENV{CMAKE_TLS_VERIFY} 1)
 set(CMAKE_TLS_VERIFY 0)
 download(var-0)
+set(ENV{CMAKE_TLS_VERIFY} 0)
 set(CMAKE_TLS_VERIFY 1)
 download(var-1)
 
-# The explicit argument overrides the cmake variable.
+# The explicit argument overrides the cmake variable and the environment variable.
+set(ENV{CMAKE_TLS_VERIFY} 1)
 set(CMAKE_TLS_VERIFY 1)
 download(opt-0 TLS_VERIFY 0)
+set(ENV{CMAKE_TLS_VERIFY} 0)
 set(CMAKE_TLS_VERIFY 0)
 download(opt-1 TLS_VERIFY 1)