From e678d13ed6135a76d7a0037ee6ee3f205b6974d0 Mon Sep 17 00:00:00 2001
From: Henrik Lissner <henrik@lissner.net>
Date: Fri, 19 May 2017 22:28:01 +0200
Subject: [PATCH] Use HTTPS ELPA sources & verify TLS (#72)

---
 core/autoload/packages.el | 22 ++++++++++++++++++++++
 core/core-packages.el     | 10 +++++++---
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/core/autoload/packages.el b/core/autoload/packages.el
index bb5b33614..1ee2fb1f1 100644
--- a/core/autoload/packages.el
+++ b/core/autoload/packages.el
@@ -399,3 +399,25 @@ calls."
                        package old-v-str new-v-str)
             (message "Aborted")))
       (message "%s is up-to-date" package))))
+
+;;;###autoload
+(defun doom/am-i-secure ()
+  "Test to see if your root certificates are securely configured in emacs."
+  (declare (interactive-only t))
+  (interactive)
+  (if-let (bad-hosts
+           (loop for bad
+                 in `("https://wrong.host.badssl.com/"
+                      "https://self-signed.badssl.com/")
+                 if (condition-case e
+                        (url-retrieve bad (lambda (retrieved) t))
+                      (error nil))
+                 collect bad))
+      (error (format "tls seems to be misconfigured (it got %s)."
+                     bad-hosts))
+    (url-retrieve "https://badssl.com"
+                  (lambda (status)
+                    (if (or (not status) (plist-member status :error))
+                        (warn "Something went wrong.\n\n%s" (pp-to-string status))
+                      (message "Your trust roots are set up properly.\n\n%s" (pp-to-string status))
+                      t)))))
diff --git a/core/core-packages.el b/core/core-packages.el
index 4b396b496..c3fa3176f 100644
--- a/core/core-packages.el
+++ b/core/core-packages.el
@@ -78,12 +78,16 @@ base by `doom!' and for calculating how many packages exist.")
       package-user-dir (expand-file-name "elpa" doom-packages-dir)
       package-enable-at-startup nil
       package-archives
-      '(("gnu"   . "http://elpa.gnu.org/packages/")
-        ("melpa" . "http://melpa.org/packages/")
-        ("org"   . "http://orgmode.org/elpa/"))
+      '(("gnu"   . "https://elpa.gnu.org/packages/")
+        ("melpa" . "https://melpa.org/packages/"))
       ;; I omit Marmalade because its packages are manually submitted rather
       ;; than pulled, so packages are often out of date with upstream.
 
+      ;; security settings
+      tls-checktrust t
+      gnutls-verify-error t
+      gnutls-trustfiles '("/etc/ssl/certs/ca-certificates.crt" "/etc/ssl/cert.pem")
+
       use-package-always-defer t
       use-package-always-ensure nil
       use-package-expand-minimally (not doom-debug-mode)