From dcbc36572f19d99e32b7bc5a25f20f788c9375b8 Mon Sep 17 00:00:00 2001 From: Craig Scott Date: Sun, 28 May 2023 20:24:05 +1000 Subject: ExternalProject: Respect TLS_VERIFY for git update step Git config options can be passed to git clone before or after the "clone" keyword. If specified before, the config setting is only applied to that command invocation. It acts to override the value in the global or project defaults (the latter doesn't exist for clone). When the config setting is passed after the "clone" keyword, it is saved into the cloned repository's config and will persist for later git operations. The existing implementation expected the latter behavior, but put the config setting before the "clone" keyword and therefore the setting was not persisting to the git update step. Move it to after the "clone" keyword so that it will persist. The submodule handling is different. There is no support for doing a "git submodule update" with a "sticky" config setting. Instead, you have to pass the setting with all such calls. The existing implementation was doing this for the clone step, but not the git update step. Add the config setting there as well so that submodules also effectively have the sslVerify setting persist to the update step too. Fixes: #18948 --- Modules/ExternalProject.cmake | 51 ++++++++++++++++++++++++------ Modules/ExternalProject/gitclone.cmake.in | 6 ++-- Modules/ExternalProject/gitupdate.cmake.in | 4 ++- 3 files changed, 48 insertions(+), 13 deletions(-) diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index e9e98a0..574b339 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -1333,6 +1333,8 @@ function(_ep_write_gitclone_script message(FATAL_ERROR "Tag for git checkout should not be empty.") endif() + set(git_submodules_config_options "") + if(GIT_VERSION_STRING VERSION_LESS 2.20 OR 2.21 VERSION_LESS_EQUAL GIT_VERSION_STRING) set(git_clone_options "--no-checkout") @@ -1355,18 +1357,26 @@ function(_ep_write_gitclone_script if(NOT ${git_remote_name} STREQUAL "origin") list(APPEND git_clone_options --origin \"${git_remote_name}\") endif() + if(NOT "x${tls_verify}" STREQUAL "x") + # The clone config option is sticky, it will apply to all subsequent git + # update operations. The submodules config option is not sticky, because + # git doesn't provide any way to do that. Thus, we will have to pass the + # same config option in the update step too for submodules, but not for + # the main git repo. + if(tls_verify) + # Default git behavior is "true", but the user might have changed the + # global default to "false". Since TLS_VERIFY was given, ensure we honor + # the specified setting regardless of what the global default might be. + list(APPEND git_clone_options -c http.sslVerify=true) + set(git_submodules_config_options -c http.sslVerify=true) + else() + list(APPEND git_clone_options -c http.sslVerify=false) + set(git_submodules_config_options -c http.sslVerify=false) + endif() + endif() string (REPLACE ";" " " git_clone_options "${git_clone_options}") - set(git_options) - # disable cert checking if explicitly told not to do it - if(NOT "x${tls_verify}" STREQUAL "x" AND NOT tls_verify) - set(git_options - -c http.sslVerify=false - ) - endif() - string (REPLACE ";" " " git_options "${git_options}") - configure_file( ${CMAKE_CURRENT_FUNCTION_LIST_DIR}/ExternalProject/gitclone.cmake.in ${script_filename} @@ -1409,6 +1419,7 @@ function(_ep_write_gitupdate_script git_repository work_dir git_update_strategy + tls_verify ) if("${git_tag}" STREQUAL "") @@ -1423,6 +1434,22 @@ function(_ep_write_gitupdate_script list(APPEND git_stash_save_options --all) endif() + set(git_submodules_config_options "") + if(NOT "x${tls_verify}" STREQUAL "x") + # The submodules config option is not sticky, git doesn't provide any way + # to do that. We have to pass this config option for the update step too. + # We don't need to set it for the non-submodule update because it gets + # recorded as part of the clone operation in a sticky manner. + if(tls_verify) + # Default git behavior is "true", but the user might have changed the + # global default to "false". Since TLS_VERIFY was given, ensure we honor + # the specified setting regardless of what the global default might be. + set(git_submodules_config_options -c http.sslVerify=true) + else() + set(git_submodules_config_options -c http.sslVerify=false) + endif() + endif() + configure_file( "${CMAKE_CURRENT_FUNCTION_LIST_DIR}/ExternalProject/gitupdate.cmake.in" "${script_filename}" @@ -3361,6 +3388,11 @@ function(_ep_add_update_command name) _ep_get_git_submodules_recurse(git_submodules_recurse) + get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY) + if("x${tls_verify}" STREQUAL "x" AND DEFINED CMAKE_TLS_VERIFY) + set(tls_verify "${CMAKE_TLS_VERIFY}") + endif() + set(update_script "${tmp_dir}/${name}-gitupdate.cmake") list(APPEND file_deps ${update_script}) _ep_write_gitupdate_script( @@ -3374,6 +3406,7 @@ function(_ep_add_update_command name) "${git_repository}" "${work_dir}" "${git_update_strategy}" + "${tls_verify}" ) set(cmd ${CMAKE_COMMAND} -Dcan_fetch=YES -P ${update_script}) set(cmd_disconnected ${CMAKE_COMMAND} -Dcan_fetch=NO -P ${update_script}) diff --git a/Modules/ExternalProject/gitclone.cmake.in b/Modules/ExternalProject/gitclone.cmake.in index 3312171..94b329a 100644 --- a/Modules/ExternalProject/gitclone.cmake.in +++ b/Modules/ExternalProject/gitclone.cmake.in @@ -25,7 +25,7 @@ set(error_code 1) set(number_of_tries 0) while(error_code AND number_of_tries LESS 3) execute_process( - COMMAND "@git_EXECUTABLE@" @git_options@ + COMMAND "@git_EXECUTABLE@" clone @git_clone_options@ "@git_repository@" "@src_name@" WORKING_DIRECTORY "@work_dir@" RESULT_VARIABLE error_code @@ -40,7 +40,7 @@ if(error_code) endif() execute_process( - COMMAND "@git_EXECUTABLE@" @git_options@ + COMMAND "@git_EXECUTABLE@" checkout "@git_tag@" @git_checkout_explicit--@ WORKING_DIRECTORY "@work_dir@/@src_name@" RESULT_VARIABLE error_code @@ -52,7 +52,7 @@ endif() set(init_submodules @init_submodules@) if(init_submodules) execute_process( - COMMAND "@git_EXECUTABLE@" @git_options@ + COMMAND "@git_EXECUTABLE@" @git_submodules_config_options@ submodule update @git_submodules_recurse@ --init @git_submodules@ WORKING_DIRECTORY "@work_dir@/@src_name@" RESULT_VARIABLE error_code diff --git a/Modules/ExternalProject/gitupdate.cmake.in b/Modules/ExternalProject/gitupdate.cmake.in index eb3cda7..171aa7b 100644 --- a/Modules/ExternalProject/gitupdate.cmake.in +++ b/Modules/ExternalProject/gitupdate.cmake.in @@ -283,7 +283,9 @@ endif() set(init_submodules "@init_submodules@") if(init_submodules) execute_process( - COMMAND "@git_EXECUTABLE@" --git-dir=.git submodule update @git_submodules_recurse@ --init @git_submodules@ + COMMAND "@git_EXECUTABLE@" + --git-dir=.git @git_submodules_config_options@ + submodule update @git_submodules_recurse@ --init @git_submodules@ WORKING_DIRECTORY "@work_dir@" COMMAND_ERROR_IS_FATAL ANY ) -- cgit v0.12