- log.Println("root:", *root)
- log.Println("bind:", *bind)
- log.Println("pypi:", *pypiURL)
+ if *pypiCertHash == "" {
+ pypiHTTPTransport = http.Transport{}
+ } else {
+ ourDgst, err := hex.DecodeString(*pypiCertHash)
+ if err != nil {
+ log.Fatalln(err)
+ }
+ pypiHTTPTransport = http.Transport{
+ TLSClientConfig: &tls.Config{
+ VerifyConnection: func(s tls.ConnectionState) error {
+ spki := s.VerifiedChains[0][0].RawSubjectPublicKeyInfo
+ theirDgst := sha256.Sum256(spki)
+ if bytes.Compare(ourDgst, theirDgst[:]) != 0 {
+ return errors.New("certificate's digest mismatch")
+ }
+ return nil
+ }},
+ }
+ }