Upcoming Repository Certificate Replacement

Posted on 01 Mar 2021 by Boris Kolpackov

TL;DR: Both cppget.org and stage.build2.org package repository certificates will be replaced with renewed versions on Tue the 9th of Mar 2021 at 12pm UTC. This will result in the change of certificate fingerprints. If you have these fingerprints specified as part of the trust values in your project's repositories.manifest files or --trust option values in bpkg or build2 toolchain install script invocations, then you will need to update any such places with new fingerprints. Read below for details.

The build2 toolchain uses X.509 certificates for repository signing. The cppget.org and stage.build2.org certificates are expiring soon and it's time to replace them with renewed versions. We will switch to the new certificates on Tue the 9th of Mar 2021 at 12pm UTC, hopefully giving everyone enough time to make any necessary arrangements.

The new certificate will have the following SHA256 fingerprints (the old certificate fingerprints are shown for reference, \ denotes a line continuation):

cppget.org:

  new: 70:64:FE:E4:E0:F3:60:F1:B4:51:E1:FA:12:5C:E0:B3:DB:DF:96:\
33:39:B9:2E:E5:C2:68:63:4C:A6:47:39:43

  old: 86:BA:D4:DE:2C:87:1A:EE:38:C7:F1:64:7F:65:77:02:15:79:F3:\
C4:83:C0:AB:5A:EA:F4:F7:8C:1D:63:30:C6


stage.build2.org:

  new: EC:50:13:E2:3D:F7:92:B4:50:0B:BF:2A:1F:7D:31:04:C6:57:6F:\
BC:BE:04:2E:E0:58:14:FA:66:66:21:1F:14

  old: 37:CE:2C:A5:1D:CF:93:81:D7:07:46:AD:66:B3:C3:90:83:B8:96:\
9E:34:F0:E7:B3:A2:B0:6C:EF:66:A4:BE:65

The change in the certificate fingerprints may require changes on your side in the following cases.

1. If you listed one of the above repositories as a prerequisite or complement in your project's repositories.manifest file and such an entry specifies the trust value, then you will need to update the fingerprint in this value, for example:

   role: prerequisite
   location: https://pkg.cppget.org/1/stable
   trust: 86:BA:D4:DE:2C:87:1A:EE:38:C7:F1:64:7F:65:77:02:15:79:F3:\
   C4:83:C0:AB:5A:EA:F4:F7:8C:1D:63:30:C6

   Should be changed to:

   role: prerequisite
   location: https://pkg.cppget.org/1/stable
   trust: 70:64:FE:E4:E0:F3:60:F1:B4:51:E1:FA:12:5C:E0:B3:DB:DF:96:\
   33:39:B9:2E:E5:C2:68:63:4C:A6:47:39:43

   If you do not make the change, then the users of your project will be prompted to authenticate the repository (and any non-interactive uses will most likely fail).

2. If you invoke one of the build2 toolchain install scripts (or build scripts from build2-toolchain) with the --trust option that specifies the fingerprint, then you will need to update this option value, for example:

   build2-install.sh ... --trust 86:BA:D4:DE:2C:87:1A:EE:38:C7:F1:\
   64:7F:65:77:02:15:79:F3:C4:83:C0:AB:5A:EA:F4:F7:8C:1D:63:30:C6

   Should be changed to:

   build2-install.sh ... --trust 70:64:FE:E4:E0:F3:60:F1:B4:51:E1:\
   FA:12:5C:E0:B3:DB:DF:96:33:39:B9:2E:E5:C2:68:63:4C:A6:47:39:43

   If you do not make the change, then the install script will prompt you to authenticate the repository (and any non-interactive invocation will most likely fail).

3. Similarly, if you invoke bpkg with the --trust option that specifies the fingerprint, then you will need to update this option value, for example:

   bpkg fetch --trust 86:BA:D4:DE:2C:87:1A:EE:38:C7:F1:64:7F:65:\
   77:02:15:79:F3:C4:83:C0:AB:5A:EA:F4:F7:8C:1D:63:30:C6

   Should be changed to:

   bpkg fetch --trust 70:64:FE:E4:E0:F3:60:F1:B4:51:E1:FA:12:5C:\
   E0:B3:DB:DF:96:33:39:B9:2E:E5:C2:68:63:4C:A6:47:39:43

   If you do not make the change, then bpkg will prompt you to authenticate the repository (and any non-interactive invocation will most likely fail).

4. If you have an existing bpkg configuration for which you have already authenticated one of the above repositories, re-fetching the repository information will trigger re-authentication of the repository (and any non-interactive re-fetch will most likely fail).

Let us know if you have any questions or concerns.

Copyright © 2014-2024 Code Synthesis Ltd.