From 23a71e4e4d5ca6bdb39e250335074a2b8ab74a02 Mon Sep 17 00:00:00 2001 From: Brad King Date: Wed, 6 Apr 2016 16:39:46 -0400 Subject: [PATCH 1/2] ExternalProject: Tell Git not to verify certs only if TLS_VERIFY is OFF Since commit 272779ce (ExternalProject: Allow TLS_VERIFY for git clones, 2016-04-01) we pass the `-c http.sslVerify=false` option to `git clone` even if no explicit `TLS_VERIFY` option was set. This changes behavior because we used to use the default Git behavior by default. Revise the logic to preserve the old default behavior by passing the new option only if `TLS_VERIFY` was explicitly passed as `OFF`. While at it, also honor `CMAKE_TLS_VERIFY` if the explicit `TLS_VERIFY` option is not given. --- Modules/ExternalProject.cmake | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index 8d8382fab..1859890a1 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -525,7 +525,10 @@ if(error_code) endif() set(git_options) -if(NOT tls_verify) + +# disable cert checking if explicitly told not to do it +set(tls_verify \"${tls_verify}\") +if(NOT \"x${tls_verify}\" STREQUAL \"x\" AND NOT tls_verify) list(APPEND git_options -c http.sslVerify=false) endif() @@ -1784,8 +1787,8 @@ function(_ep_add_download_command name) endif() get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY) - if(NOT tls_verify) - set(tls_verify OFF) + if("x${tls_verify}" STREQUAL "x" AND DEFINED CMAKE_TLS_VERIFY) + set(tls_verify "${CMAKE_TLS_VERIFY}") endif() # For the download step, and the git clone operation, only the repository @@ -1812,7 +1815,7 @@ function(_ep_add_download_command name) # _ep_write_gitclone_script(${tmp_dir}/${name}-gitclone.cmake ${source_dir} ${GIT_EXECUTABLE} ${git_repository} ${git_tag} ${git_remote_name} "${git_submodules}" ${src_name} ${work_dir} - ${stamp_dir}/${name}-gitinfo.txt ${stamp_dir}/${name}-gitclone-lastrun.txt ${tls_verify} + ${stamp_dir}/${name}-gitinfo.txt ${stamp_dir}/${name}-gitclone-lastrun.txt "${tls_verify}" ) set(comment "Performing download step (git clone) for '${name}'") set(cmd ${CMAKE_COMMAND} -P ${tmp_dir}/${name}-gitclone.cmake) From 4d8c988caa1f5e13821a6fb392cd72e681082e97 Mon Sep 17 00:00:00 2001 From: Brad King Date: Wed, 6 Apr 2016 16:21:16 -0400 Subject: [PATCH 2/2] ExternalProject: Fix file download script with CMAKE_TLS_{VERIFY,CAINFO} Avoid generating incorrect code such as set(CMAKE_TLS_VERIFY set(CMAKE_TLS_VERIFY 1)) when one of these variables is set in the calling project. --- Modules/ExternalProject.cmake | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index 1859890a1..1f3dc3806 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -859,12 +859,15 @@ function(_ep_write_downloadfile_script script_filename remote local timeout no_p set(hash_check "") endif() + set(tls_verify_code "") + set(tls_cainfo_code "") + # check for curl globals in the project if(DEFINED CMAKE_TLS_VERIFY) - set(tls_verify "set(CMAKE_TLS_VERIFY ${CMAKE_TLS_VERIFY})") + set(tls_verify_code "set(CMAKE_TLS_VERIFY ${CMAKE_TLS_VERIFY})") endif() if(DEFINED CMAKE_TLS_CAINFO) - set(tls_cainfo "set(CMAKE_TLS_CAINFO \"${CMAKE_TLS_CAINFO}\")") + set(tls_cainfo_code "set(CMAKE_TLS_CAINFO \"${CMAKE_TLS_CAINFO}\")") endif() # now check for curl locals so that the local values @@ -873,12 +876,12 @@ function(_ep_write_downloadfile_script script_filename remote local timeout no_p # check for tls_verify argument string(LENGTH "${tls_verify}" tls_verify_len) if(tls_verify_len GREATER 0) - set(tls_verify "set(CMAKE_TLS_VERIFY ${tls_verify})") + set(tls_verify_code "set(CMAKE_TLS_VERIFY ${tls_verify})") endif() # check for tls_cainfo argument string(LENGTH "${tls_cainfo}" tls_cainfo_len) if(tls_cainfo_len GREATER 0) - set(tls_cainfo "set(CMAKE_TLS_CAINFO \"${tls_cainfo}\")") + set(tls_cainfo_code "set(CMAKE_TLS_CAINFO \"${tls_cainfo}\")") endif() file(WRITE ${script_filename} @@ -887,8 +890,8 @@ function(_ep_write_downloadfile_script script_filename remote local timeout no_p dst='${local}' timeout='${timeout_msg}'\") -${tls_verify} -${tls_cainfo} +${tls_verify_code} +${tls_cainfo_code} file(DOWNLOAD \"${remote}\"