Git Installer could remove http.sslcainfo if native Windows SSL/TLS is selected

[asalwa]

• I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

git version 2.15.1.windows.2
built from commit: 5d5baf91824ec7750b103c8b7c4827ffac202feb
sizeof-long: 4
machine: x86_64

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [Version 10.0.15063]

(64-bit)

• What options did you set as part of the installation? Or did you choose the
  defaults?

> type "C:\Program Files\Git\etc\install-options.txt"
Editor Option: VIM
Path Option: Cmd
SSH Option: OpenSSH
CURL Option: WinSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Use Credential Manager: Enabled
Enable Symlinks: Disabled

• Any other interesting things about your environment that might be related
  to the issue you're seeing?

Using LFS and self-signed company-wide certificates.

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

ConEmu + Git Bash.

• What commands did you run to trigger this issue?

Clone any repository which is using LFS. Do it via HTTPS transport with server certificate verifiable via native Windows mechanism. Server certificate is NOT mentioned in Git config using sslcainfo option.

• What did you expect to occur after running these commands?

Normal output produced by "git clone" with LFS.

• What actually happened instead?

During download of LFS objects error occurs: "x509: certificate signed by unknown authority"

This problem is well known and described in issues #1158 here and #2208 in git-lfs project (git-lfs/git-lfs#2208).
The workaround is also known. Removing http.sslcainfo from system-wide gitconfig helps. (It is written by default by the installer.)

Discussions in these other issues where not leading to any fix coming soon. What I'm suggesting here is to apply a workaround in the installer, so that WinSSL+LFS will work "out of the box".
Current state causes some misunderstanding in community. I heard voices from Git repo maintainers who believed that WinSSL+LFS does not work at all. Not every user is determined to dig through forums and GitHub issues to find this workaround.
I suggest applying Installer label, to clearly mark this issue as proposal to do something in Installer, not in cURL, LFS, etc.

[dscho]

Technically, this is a duplicate of #1158. But that other bug is so sad, having seen the promise of a contribution, which never came.

@asalwa I trust you're really interested in getting this fixed? I do not have the time to do that, but I'll help you getting it fixed, and that will benefit all of us. So here are the steps:

Get the Git for Windows SDK

This is as easy as downloading and running a tiny installer. It will download a bunch of files (~200MB IIRC) and build a current version of Git for Windows and install it into the Git for Windows SDK.

Alternative way to get the SDK

You can also go a still slightly experimental way: clone https://github.com/git-for-windows/git-sdk-64. This will get you almost a full SDK, you still have to clone https://github.com/git-for-windows/build-extra into /usr/src/build-extra. The build-extra still is not core.autocrlf=true-safe, though, so you will want to (at least temporarily) set that config setting to false at least in your ~/.gitconfig (e.g. via git config --global core.autocrlf true) before cloning build-extra.

Build your first installer

This is really necessary to prove that you can build an installer successfully, so that you do not get stuck later. It is as easy as running

sh /usr/src/build-extra/installer/release.sh 0-test

This will build the installer Git-0-test-64-bit.exe and put it into your home directory. It would be a good idea to test this installer at this stage, to verify that it does configure http.sslCAInfo even when choosing Secure Channel.

Implement the fix

This is the location where http.sslCAInfo is configured:

https://github.com/git-for-windows/build-extra/blob/af9cff50050b15520a8a3885ccfb6c9b4b65611b/installer/install.iss#L1869-L1871

The condition needs to be extended using an and by the "WinSSL" condition, as it is tested here:

https://github.com/git-for-windows/build-extra/blob/af9cff50050b15520a8a3885ccfb6c9b4b65611b/installer/install.iss#L1878

The way you combine multiple conditions in a single if statement is demonstrated here:

https://github.com/git-for-windows/build-extra/blob/af9cff50050b15520a8a3885ccfb6c9b4b65611b/installer/install.iss#L1878

Test the change

Time to run sh /usr/src/build-extra/installer/release.sh 0-test again! And it will overwrite the previously-generated installer, and yes, now is also the time to run this installer, then verify

1. that the http.sslCAInfo setting is gone: simply run git config --show-origin http.sslcainfo in a Git Bash from the just-installed Git for Windows, and

2. even more importantly that your Git LFS operations work as you expect. This is a test that you have a rather unique position to run, so this one is really crucial

If any of these tests fails, and if you then get stuck interpreting the errors and/or have no idea how to fix them, please do feel very free to come back with the symptoms (and maybe even with a branch pushed to a fork of build-extra).

Commit and submit!

Once everything works, please commit your work with git commit -s (the -s adds the "Signed-off-by:" line that declares that you are at liberty to contribute your fix. If your current employer does not allow you to contribute the fix, please at least let us know how your testing went.

In the commit message, please talk about the motivation for the patch. It's probably good enough to copy-edit part of this here bug report.

Also, please include a line like "This addresses #1409" in the commit message; this helps close the ticket once the Pull Request is merged.

Speaking of Pull Request ("PR"): if you do not have a fork of the build-extra repository yet, please make one. Then push your branch, and then hit "Create Pull Request" in the GitHub page of build-extra.

Thanks!

[asalwa]

After 4 weeks I've found a moment to look at it (better late than never) :-)
I run git-sdk-installer-1.0.6-64.7z.exe, it downloaded and built a lot of stuff - I won't tell you I've read everything on console, but at least it didn't left any error message on my screen.
New "SDK-64" windows was left on my screen after installation. But I can't build installer:
sh /usr/src/build-extra/installer/release.sh 0-test
because there is no 'installer' directory:

$ ls -lA /usr/src/build-extra/
total 4
drwxr-xr-x 1 ASalwa 1049089 0 Jan 18 14:31 .git/

What extra step is necessary to get it working?

[asalwa]

It looks that build-extra is empty Git repo:

MINGW64 /usr/src/build-extra (master)
$ git status
On branch master

No commits yet

Remote is specified in build-extra/.git/config, but it seems that repository has not been cloned.

[PhilipOakley]

Yes, those sources need to be either fetched or checked out (can't remember which..). IIRC They are a repo at a particular state, but it's just bare at the moment.

[dscho]

As mentioned in https://github.com/git-for-windows/git/wiki/Making-an-installer, you need to:

cd /usr/src/build-extra
git pull master
./installer/release.sh <version>-test

The crucial part is git pull master.

[dscho]

@asalwa any luck so far?

[asalwa]

Yes, some :) Thanks for extra explanation. Now I'm able to build my own Git installer. I hope to have time slot this or next week to finally fix this issue.

[dscho]

@asalwa I look forward to it!

[asalwa]

Created my first PR for Git for Windows:
git-for-windows/build-extra#172

[dscho]

@asalwa thank you so much! I merged your excellent PR, and the next Git for Windows version will have this bug fix!

[asalwa]

Great. I'm glad that I worked through the process of building and delivering a fix. Maybe I'll have an occasion to contribute something more sophisticated in the future :)