Use HTTPS ELPA sources & verify TLS (#72)

2017-05-19 22:28:01 +02:00 · 2017-05-19 22:28:01 +02:00 · e678d13ed6
commit e678d13ed6
parent 9dd66381dc
2 changed files with 29 additions and 3 deletions
--- a/core/autoload/packages.el
+++ b/core/autoload/packages.el
@ -399,3 +399,25 @@ calls."
                       package old-v-str new-v-str)
            (message "Aborted")))
      (message "%s is up-to-date" package))))
+
+;;;###autoload
+(defun doom/am-i-secure ()
+  "Test to see if your root certificates are securely configured in emacs."
+  (declare (interactive-only t))
+  (interactive)
+  (if-let (bad-hosts
+           (loop for bad
+                 in `("https://wrong.host.badssl.com/"
+                      "https://self-signed.badssl.com/")
+                 if (condition-case e
+                        (url-retrieve bad (lambda (retrieved) t))
+                      (error nil))
+                 collect bad))
+      (error (format "tls seems to be misconfigured (it got %s)."
+                     bad-hosts))
+    (url-retrieve "https://badssl.com"
+                  (lambda (status)
+                    (if (or (not status) (plist-member status :error))
+                        (warn "Something went wrong.\n\n%s" (pp-to-string status))
+                      (message "Your trust roots are set up properly.\n\n%s" (pp-to-string status))
+                      t)))))
--- a/core/core-packages.el
+++ b/core/core-packages.el
@ -78,12 +78,16 @@ base by `doom!' and for calculating how many packages exist.")
      package-user-dir (expand-file-name "elpa" doom-packages-dir)
      package-enable-at-startup nil
      package-archives
-      '(("gnu"   . "http://elpa.gnu.org/packages/")
-        ("melpa" . "http://melpa.org/packages/")
-        ("org"   . "http://orgmode.org/elpa/"))
+      '(("gnu"   . "https://elpa.gnu.org/packages/")
+        ("melpa" . "https://melpa.org/packages/"))
      ;; I omit Marmalade because its packages are manually submitted rather
      ;; than pulled, so packages are often out of date with upstream.

+      ;; security settings
+      tls-checktrust t
+      gnutls-verify-error t
+      gnutls-trustfiles '("/etc/ssl/certs/ca-certificates.crt" "/etc/ssl/cert.pem")
+
      use-package-always-defer t
      use-package-always-ensure nil
      use-package-expand-minimally (not doom-debug-mode)