问题
I'm looking for a way to make --insecure option the default one for any hg \ TortoiseHg command.
Please don't write this is a bad practice - I aware about possible risks and consider they're fully acceptable.
回答1:
Setting cacerts in the [web] section to the empty string looks to be the same thing. From the source:
if cmdoptions.get('insecure', False):
ui.setconfig('web', 'cacerts', '!', '--insecure')
which the wiki confirms:
Sometimes it may be expedient to disable security checks, for instance when dealing with hosts with self-signed certificates. This can be done by disabling the CA certificate configuration on the command line:
hg push --config web.cacerts= https://self-signed-host/repo
So putting cacerts=! in the [web] section of your global hgrc (/etc/mercurial/hgrc on linux-likes) will get you there.
回答2:
If your goal is to eliminate certificate fingerprint warnings during push/pull, there's a better way to do this. Use the [hostfingerprints] in .hg/hgrc (or ~/.hgrc -- see comments).
[hostfingerprints]
server.example.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc
This will eliminate the warnings without eliminating the security checks.
Note: I see from your comments to another answer that you've already found this solution. I'm posting this anyway in case someone else has the same problem.
回答3:
You can use aliases to achieve that. Add this to your .hgrc :
[alias]
push = push --insecure
Problem is you wil have to do this for each command you want to use and I suggest you use different names for your aliases than the default one.
As far as I know, there's no way to enforce --insecure for all commands "automatically".
回答4:
Background
As pointed out in Bruce Alderman's answer, a good alternative to using the --insecure option is to simply add the host fingerprints to the ~/.hgrc file. (It's presumably forbidden to add them to .hg/hgrc due to security risks.) The [hostfingerprints] section however has been deprecated.
New instructions
Add the following to ~/.hgrc:
[hostsecurity]
<host>:fingerprints=sha256:<hash>
where <host> should be substituted with the hostname (without the https:// prefix), and <hash> should be substituted with the SHA-256 fingerprint (32 bytes, written as :-separated hexadecimal). The output of the following SHA-256 fingerprint command
openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin
after substituting <host> and <port> is of the form
SHA256 Fingerprint=<hash>
For example, for a self-signed certificate running from the local machine, one might have an entry in ~/.hgrc which looks like
[hostsecurity]
localhost:fingerprints=sha256:DD:30:5A:9B:2C:E1:59:7E:46:C4:42:D3:41:34:03:17:2A:CF:50:E8:DF:78:E6:2E:C9:42:D9:9A:C9:58:AC:52
There is further documentation on Mercurial's page about secure connections.
来源:https://stackoverflow.com/questions/5366869/how-to-entirely-disable-ssl-certificate-checks-in-mercurial-tortoisehg