GitLab SSL certificate changed so we can no longer mirror its files

[NucleaPeon (Dann)]

I recently installed youtube-dl based on a macport installation that hasn't been updated in a while. It completed successfully. I then went to do a selfupdate and the corresponding 'sudo port upgrade outdated' command which failed when it attempted to download a version of svt-av1 that apparently doesn't exist on many servers. It eventually gave up and failed.

While data is in the log I'm attaching, basic info is this:
MacPorts 2.8.1
OS: OS X 10.6.8

[NucleaPeon (Dann)]

main.log file of svt-av1

[NucleaPeon (Dann)]

screenshot of terminal when failure occurs

[NucleaPeon (Dann)]

I cannot install an older version either, so downgrading is not an option and I'm currently stuck. I'm attempting to package up youtube-dl and openssh using mpkg for a project.

[NucleaPeon (Dann)]

I tried replacing the svt-av1 file with the available 1.8.0 version but the hashes don't match.

[ryandesign (Ryan Carsten Schmidt)]

Yes, I noticed this today. svt-av1 is hosted on GitLab. GitLab changed their SSL certificate a couple days ago and it is now no longer possible to connect to GitLab using the version of curl that comes with OS X 10.11 or earlier. This shouldn't have been a problem for users because we mirror the files on our server, so you should have been able to get it from our mirrors, but the machine that does the mirroring runs OS X 10.11 so it is not able to mirror this file or any other files from GitLab anymore. Upgrading the mirroring machine to a new OS version has the potential to introduce more problems so I plan to fix the problem with a smaller change: changing the MacPorts installation that the mirroring process uses so that it uses MacPorts curl instead of macOS curl, since MacPorts curl uses a newer SSL library that is able to connect to all servers.

[ryandesign (Ryan Carsten Schmidt)]

Oh, and about youtube-dl, yes, it has not been updated in awhile because there has been no release of youtube-dl in awhile. We offer the latest version that is available. If they release a new version, of course I will update the port. You could use yt-dlp instead which has more recent releases.

[NucleaPeon (Dann)]

Awesome! Thank you.

[ryandesign (Ryan Carsten Schmidt)]

It may be a couple days before I can do it; the buildbot is very busy right now building hundreds of ports after the icu update and I don't want to try to make changes while builds are in progress.

[raimue (Rainer Müller)]

You can use the port distfiles <port> command to get the exact path where the file is expected and the list of mirror URLs which will be tried for download. If fetch is broken due to the SSL certificate on older macOS releases, as a workaround you could still download it manually with your browser and place it into that path in /opt/local/var/macports/distfiles/ manually.

[ryandesign (Ryan Carsten Schmidt)]

Only if the browser supports the newer certificate. The user is on Snow Leopard for which current browsers are not available so that may not work either.

I've manually mirrored the new svt-av1 1.8.0 file to solve the immediate problem. It should be available within an hour.

[kencu (Ken)]

I helped write a version of TenFourFox that runs on MacOSX 10.4+ Intel, that can download most current things.

​https://sourceforge.net/projects/tenfourfox/files/unstable/contrib/TenFourFox-FPR32SP5-i386.zip/download

It has some deficiencies -- there is no async/await functionality so some sites won't work, as outlined here: ​https://github.com/classilla/tenfourfox/issues/653

but it is useful. I use it every day on 10.6.

I built the current version from the github repo as well for my own use, but I didn't upload that to SourceForge like I did the other releases when Cameron was actively maintaining it.

[NucleaPeon (Dann)]

Updated my machine today and it didn't fail on svt-av1. I'm seeing an issue with py311-numpy, but I don't think that is hiding the problem as yt-dlp installed and mpkg ran fine (but I had to symlink /Developer/usr/bin/packagebuild to /usr/bin as exporting path didn't work)

@kencu On Snow Leopard, I have Firefox 48.0.2, Firefox Nightly, Spidermonkey and Arctic Fox installed and Spidermonkey seems to be the best for most sites and large numbers of tabs. I can give tenfourfox a test drive though, thanks!

[NucleaPeon (Dann)]

I really do appreciate that you still support Snow Leopard; being able to have the latest openssh and git has made it way more functional. I aim to have most of my software projects support 10.6.8.

[ryandesign (Ryan Carsten Schmidt)]

Replying to ryandesign:

I plan to fix the problem with a smaller change: changing the MacPorts installation that the mirroring process uses so that it uses MacPorts curl instead of macOS curl, since MacPorts curl uses a newer SSL library that is able to connect to all servers.

Instead, I installed the ​USERTrust RSA Certification Authority certificate into the Keychain on the build machine and on the OS X 10.11 El Capitan and older build workers. (Install it into the System keychain, not the login keychain. If prompted, choose Always Trust. If not prompted, find the certificate in the list, double-click it to open it, click the triangle to the left of Trust, and in the When using this certificate menu, choose Always Trust.) (This is similar to what we suggest for Let's Encrypt.) This worked for me on OS X 10.9, 10.10, and 10.11. It did not work on 10.8 and earlier but now that the build machine can mirror these files again that should suffice for users on 10.8 and earlier.