From a7696b9733d4ede9817a0a0accb5ce5b85d9a2d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Thu, 9 Jul 2020 17:24:13 +0200
Subject: [PATCH] git-download: Don't verify X.509 certificate of SWH.

Fixes <https://bugs.gnu.org/42286>.

Regression introduced with the switch to Guile 3.0 in commit
b6bee63bed4f013064c0d902e7c8b83ed7514ade.

* guix/git-download.scm (git-fetch): Parameterize %VERIFY-SWH-CERTIFICATE.
---
 guix/git-download.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/guix/git-download.scm b/guix/git-download.scm
index a1c1adf760..71ea1031c5 100644
--- a/guix/git-download.scm
+++ b/guix/git-download.scm
@@ -140,9 +140,11 @@ HASH-ALGO (a symbol).  Use NAME as the file name, or a generic name if #f."
                 (download-nar #$output)
 
                 ;; As a last resort, attempt to download from Software Heritage.
+                ;; Disable X.509 certificate verification to avoid depending
+                ;; on nss-certs--we're authenticating the checkout anyway.
                 ;; XXX: Currently recursive checkouts are not supported.
                 (and (not recursive?)
-                     (begin
+                     (parameterize ((%verify-swh-certificate? #f))
                        (format (current-error-port)
                                "Trying to download from Software Heritage...~%")
                        (swh-download (getenv "git url") (getenv "git commit")