Upcoming hg.mozilla.org certificate change

Gregory Szorc gps at mozilla.com
Mon Sep 26 17:20:30 UTC 2016

The certificate has been flipped.

New hashes are:


You can pin these in your hgrc via:

# Mercurial 3.9+

hg.mozilla.org:fingerprints =

# Mercurial <= 3.8

[hostfingerprints]hg.mozilla.org =

Please make noise in #vcs or #releng if you see breakage.

On Thu, Sep 22, 2016 at 1:57 PM, Gregory Szorc <gps at mozilla.com> wrote:

> hg.mozilla.org's x509 server certificate (AKA an "SSL certificate")
> expires next week.
> A new certificate has already been issued and it is scheduled to be
> swapped in around 2016-09-26T17:00Z (Monday September 26 10:00 PDT). The
> transition may be delayed to avoid downtime in automation, which hasn't
> fully prepared for the change yet.
> The only major change to the certificate is it is using SHA-256 for
> signatures. This is known to not work with ancient software (such as
> Windows XP SP2). We don't anticipate any major problems with this, however.
> If you pin the host fingerprint in your Mercurial config file, you'll need
> to install a new fingerprint or Mercurial will refuse to connect once the
> certificate is swapped. The fingerprint of the new certificate and
> Mercurial config snippets for configuring it are available at
> https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12.
> It's worth noting that Mercurial 3.8+ supports pinning multiple
> fingerprints per host. So, if you install the new fingerprint today, you
> don't need to take action when the server certificate is swapped next week.
> If you notice any problems after the cert change, please make noise in
> #vcs on IRC.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20160926/d3690067/attachment.html>

More information about the firefox-dev mailing list