[vamp-sdk] build failure because of invalid certificate

[abique]

Hi,

vamp-sdk do not install because of invalid certificate.

I think the certificate check is not so important as we already have a hash to validate the downloaded file.
What do you think?

Regards,
Alex

To Reproduce
Steps to reproduce the behavior:
./vcpkg install vamp-sdk

Failure logs

Building package vamp-sdk[core]:x64-linux-bitwig...
-- [OVERLAY] Loading triplet configuration from: /home/buildbot/jenkins/workspace/cpp-libs-linux/src/vcpkg_support/triplets/x64-linux-bitwig.cmake
-- Downloading https://code.soundsoftware.ac.uk/attachments/download/2589/vamp-plugin-sdk-2.9.0.zip -> vamp-plugin-sdk-2.9.0.zip...
[DEBUG] Feature flag 'binarycaching' unset
[DEBUG] Feature flag 'manifests' = off
[DEBUG] Feature flag 'compilertracking' unset
[DEBUG] Feature flag 'registries' unset
[DEBUG] Feature flag 'versions' unset
[DEBUG] popen(curl --fail -L https://code.soundsoftware.ac.uk/attachments/download/2589/vamp-plugin-sdk-2.9.0.zip --create-dirs --output /home/buildbot/jenkins/workspace/cpp-libs-linux/src/vcpkg/downloads/vamp-plugin-sdk-2.9.0.zip.22201.part 2>&1)
[DEBUG] cmd_execute_and_stream_data() returned 15360 after   235045 us
Error: Failed to download from mirror set:
https://code.soundsoftware.ac.uk/attachments/download/2589/vamp-plugin-sdk-2.9.0.zip:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


[DEBUG] /home/buildbot/jenkins/workspace/cpp-libs-linux/src/vcpkg/buildtrees/_vcpkg/src/vcpkg-tool-2021-06-29/src/vcpkg/base/downloads.cpp(628)
[DEBUG] Exiting after 235595 us (235594 us)

[abique]

By the way I've contacted the site admin to inform him about the certificate situation.

[PhoebeHui]

@abique, thanks for reporting this issue!

It looks also a known issue in CI testing, see #13639 (comment).
@ras0219-msft mentioned that 'This can be solved by upgrading the ca-certificates package'.

[abique]

I did solve it by adding "insecure" to my .curlrc config file.

[BillyONeal]

I think the certificate check is not so important as we already have a hash to validate the downloaded file.

TLS provides privacy in addition to integrity and it's MS policy to use it in our products; I recommend installing current root certificates on your system rather than disabling TLS entirely. Although our SHA checks are indeed a mitigation for the integrity / tamper problem.

[BillyONeal]

https://www.ssllabs.com/ssltest/analyze.html?d=code.soundsoftware.ac.uk

Gotta love a server that supports old insecure TLS presumably for backcompat FUD but needs recent root certs to work...

[abique]

What about shipping certificates within vcpkg?

[BillyONeal]

Hmmm... I'm not sure how I feel about that. Installing trusted root certs is certainly not OK since it would be a machine wide modification. Perhaps someone who understands the context for this port can contact upstream and get them to fix their server?

[abique]

No you don't have to install it machine wide.
You can pass some arguments to curl to specify the location of the root certificates.

[ras0219-msft]

As a workaround, you can always predownload the file yourself into the downloads folder ahead of time using curl's insecure mode.