Rely on OS certificates for downloading Hex/Rebar manifests

Author: josevalim

lib/mix/lib/mix/local.ex

@@ -5,20 +5,6 @@
 defmodule Mix.Local do
   @moduledoc false
 
-  @public_keys_html "https://builds.hex.pm/installs/public_keys.html"
-
-  @in_memory_key """
-  -----BEGIN PUBLIC KEY-----
-  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAslPz1mAfyAvRv8W8xOdv
-  HQMbDJkDKfRhsL4JBGwGH7qw0xh+TbaUlNaM3pF+i8VUjS/4FeXjT/OAUEAHu5Y2
-  rBVlx00QcH8Dpbyf+H73XiCs0MXnTSecqDgzx6i6NMi8knklHT7yHySHtuuPmPuN
-  Po8QTKolCKftwPE/iNDeyZfwufd+hTCoCQdoTVcB01SElfNtvKRtoKbx35q80IPr
-  rOcGsALmr58+bWqCTY/51kFeRxzrPJ5LdcLU/AebyWddD4IUfPDxk16jTiCagMWA
-  JPSwo8NUrWDIBbD+rEUp06y0ek276rG5Tzm/3Bma56RN/u6nAqBTBE8F2Hu2QBKj
-  lQIDAQAB
-  -----END PUBLIC KEY-----
-  """
-
   @doc """
   Returns the name for an archive or an escript, based on the project config.
 
@@ -167,40 +153,16 @@ defmodule Mix.Local do
 
   Used to install both Rebar and Hex from S3.
   """
-  def find_matching_versions_from_signed_csv!(name, version, path) do
-    ensure_applications!()
-    csv = read_unsafe_path!(name, path)
-
-    signature =
-      read_unsafe_path!(name, path <> ".signed")
-      |> String.replace("\n", "")
-      |> Base.decode64!()
-
-    verified? =
-      Enum.any?(public_keys(), fn {id, key} ->
-        :public_key.verify(csv, :sha512, signature, decode_pk!(id, key))
-      end)
-
-    if verified? do
-      result =
-        csv
-        |> parse_csv()
-        |> find_latest_eligible_version(version)
-
-      result || Mix.raise("Could not find a version of #{name} matching: #{version}")
-    else
-      Mix.raise(
-        "Could not install #{name} because Mix could not verify authenticity " <>
-          "of metadata file at #{inspect(path)}. This may happen because a proxy or some " <>
-          "entity is interfering with the download or because you don't have a " <>
-          "public key to verify the download.\n\nYou may try again later or check " <>
-          "if a new public key has been released in our public keys page: #{@public_keys_html}"
-      )
-    end
+  def find_matching_versions!(name, version, path) do
+    name
+    |> read_path!(path)
+    |> parse_csv()
+    |> find_latest_eligible_version(version)
+    |> Kernel.||(Mix.raise("Could not find a version of #{name} matching: #{version}"))
   end
 
-  defp read_unsafe_path!(name, path) do
-    case Mix.Utils.read_path(path, unsafe_uri: true) do
+  defp read_path!(name, path) do
+    case Mix.Utils.read_path(path) do
       {:ok, contents} ->
         contents
 
@@ -242,78 +204,20 @@ defmodule Mix.Local do
     |> find_version(artifact_version, elixir_version)
   end
 
-  defp find_version(entries, _artifact_version = nil, elixir_version) do
-    Enum.find_value(entries, &find_by_elixir_version(&1, elixir_version))
-  end
-
   defp find_version(entries, artifact_version, elixir_version) do
-    Enum.find_value(entries, &find_by_artifact_version(&1, artifact_version, elixir_version))
-  end
-
-  defp find_by_elixir_version([artifact_version, digest | versions], elixir_version) do
-    if version = Enum.find(versions, &(Version.compare(&1, elixir_version) != :gt)) do
-      {version, artifact_version, digest}
-    end
-  end
-
-  defp find_by_artifact_version(
-         [artifact_version, digest | versions],
-         artifact_version,
-         elixir_version
-       ) do
-    if version = Enum.find(versions, &(Version.compare(&1, elixir_version) != :gt)) do
-      {version, artifact_version, digest}
-    end
-  end
-
-  defp find_by_artifact_version(_entry, _artifact_version, _elixir_version) do
-    nil
-  end
-
-  ## Public keys
-
-  @doc """
-  Returns the file system path for public keys.
-  """
-  def public_keys_path, do: Path.join(Mix.Utils.mix_home(), "public_keys")
-
-  @doc """
-  Returns all public keys as a list.
-  """
-  def public_keys do
-    path = public_keys_path()
-
-    [{"in-memory public key for Elixir v#{System.version()}", @in_memory_key}] ++
-      case File.ls(path) do
-        {:ok, keys} -> Enum.map(keys, &{&1, File.read!(Path.join(path, &1))})
-        {:error, _} -> []
+    entries =
+      if artifact_version do
+        Enum.filter(entries, &(hd(&1) == artifact_version))
+      else
+        entries
       end
-  end
 
-  @doc """
-  Decodes a public key and raises if the key is invalid.
-  """
-  def decode_pk!(id, key) do
-    ensure_applications!()
-
-    try do
-      [rsa_public_key] = :public_key.pem_decode(key)
-      :public_key.pem_entry_decode(rsa_public_key)
-    rescue
-      _ ->
-        Mix.raise("""
-        Could not decode public key: #{id}. The public key contents are shown below.
-
-        #{key}
-
-        Public keys must be valid and be in the PEM format
-        """)
-    end
+    Enum.find_value(entries, &find_by_elixir_version(&1, elixir_version))
   end
 
-  defp ensure_applications! do
-    Mix.ensure_application!(:crypto)
-    Mix.ensure_application!(:asn1)
-    Mix.ensure_application!(:public_key)
+  defp find_by_elixir_version([artifact_version, digest, hex_elixir_version | _], elixir_version) do
+    if Version.compare(hex_elixir_version, elixir_version) != :gt do
+      {hex_elixir_version, artifact_version, digest}
+    end
   end
 end

lib/mix/lib/mix/tasks/local.hex.ex

@@ -73,11 +73,7 @@ defmodule Mix.Tasks.Local.Hex do
     hex_url = Mix.Hex.url()
 
     {elixir_version, hex_version, sha512} =
-      Mix.Local.find_matching_versions_from_signed_csv!(
-        "Hex",
-        version,
-        hex_url <> @hex_list_path
-      )
+      Mix.Local.find_matching_versions!("Hex", version, hex_url <> @hex_list_path)
 
     url =
       (hex_url <> @hex_archive_path)

lib/mix/lib/mix/tasks/local.public_keys.ex

@@ -115,7 +115,7 @@ defmodule Mix.Tasks.Local.Rebar do
     list_url = hex_url <> list_url
 
     {elixir_version, rebar_version, sha512} =
-      Mix.Local.find_matching_versions_from_signed_csv!("Rebar", _version = nil, list_url)
+      Mix.Local.find_matching_versions!("Rebar", _version = nil, list_url)
 
     url =
       (hex_url <> escript_url)

lib/mix/lib/mix/tasks/local.rebar.ex

@@ -625,9 +625,7 @@ defmodule Mix.Utils do
   ## Options
 
     * `:sha512` - checks against the given SHA-512 checksum. Returns
-      `{:checksum, message}` in case it fails. This option is required
-      for URLs unless the `:unsafe_uri` is given (WHICH IS NOT RECOMMENDED
-      unless another security mechanism is in place, such as private keys)
+      `{:checksum, message}` in case it fails
 
     * `:timeout` - times out the request after the given milliseconds.
       Returns `{:remote, timeout_message}` if it fails. Defaults to 60
@@ -645,8 +643,7 @@ defmodule Mix.Utils do
       url?(path) ->
         task =
           Task.async(fn ->
-            with :ok <- require_checksum(opts),
-                 {:ok, binary} <- read_httpc(path) do
+            with {:ok, binary} <- read_httpc(path) do
               checksum(binary, opts)
             end
           end)
@@ -670,19 +667,6 @@ defmodule Mix.Utils do
 
   @checksums [:sha512]
 
-  defp require_checksum(opts) do
-    cond do
-      Keyword.take(opts, @checksums) != [] ->
-        :ok
-
-      Keyword.get(opts, :unsafe_uri) ->
-        :ok
-
-      true ->
-        {:checksum, "fetching from URIs require a checksum to be given"}
-    end
-  end
-
   defp checksum(binary, opts) do
     Enum.find_value(@checksums, {:ok, binary}, fn hash ->
       with expected when expected != nil <- opts[hash],