fix: secure git clones by removing insecure sslverify flag (#74) #75

Manually merged
jabber.developer merged 1 commits from ci/secure-cloning into master 2026-01-21 17:01:09 +00:00

What this PR will do

  • Remove -c http.sslverify=false from all git clones
    (enables proper TLS verification, closes MITM risk).
  • Explicitly install ca-certificates in every CI Docker image.

Why this matters

Disabling TLS certificate verification allowed potential man-in-the-middle attacks during dependency fetching, creating a supply-chain risk.
Explicitly installing ca-certificates ensures the system trust store is present and populated, so Git can verify HTTPS connections using default settings — even on minimal base images.

Resolves #74

## What this PR will do - Remove -c http.sslverify=false from all git clones (enables proper TLS verification, closes MITM risk). - Explicitly install ca-certificates in every CI Docker image. ## Why this matters Disabling TLS certificate verification allowed potential man-in-the-middle attacks during dependency fetching, creating a supply-chain risk. Explicitly installing ca-certificates ensures the system trust store is present and populated, so Git can verify HTTPS connections using default settings — even on minimal base images. Resolves #74
jabber.developer added 1 commit 2026-01-21 16:15:30 +00:00
fix(ci): remove insecure git clone flag, add ca-certificates
All checks were successful
CI Code / Check spelling (pull_request) Successful in 22s
CI Code / Check coding style (pull_request) Successful in 34s
CI Code / Code Coverage (pull_request) Successful in 17m45s
CI Code / Linux (ubuntu) (pull_request) Successful in 18m1s
CI Code / Linux (debian) (pull_request) Successful in 18m17s
CI Code / Linux (arch) (pull_request) Successful in 19m0s
CI Code / Check spelling (push) Successful in 19s
CI Code / Check coding style (push) Successful in 31s
CI Code / Code Coverage (push) Successful in 15m28s
CI Code / Linux (ubuntu) (push) Successful in 18m11s
CI Code / Linux (debian) (push) Successful in 18m22s
CI Code / Linux (arch) (push) Successful in 20m51s
8353a29b4f
Remove -c http.sslverify=false from all git clones
(enables proper TLS verification, closes MITM risk).
Explicitly install ca-certificates in every CI Docker image.
jabber.developer requested review from jabber.developer2 2026-01-21 16:16:00 +00:00
jabber.developer2 approved these changes 2026-01-21 16:49:11 +00:00
jabber.developer2 left a comment
Collaborator

Approved — Removes insecure sslverify=false flag and adds ca-certificates for proper SSL verification.

Approved — Removes insecure sslverify=false flag and adds ca-certificates for proper SSL verification.
jabber.developer manually merged commit 8353a29b4f into master 2026-01-21 17:01:09 +00:00
jabber.developer deleted branch ci/secure-cloning 2026-01-21 17:01:21 +00:00
Sign in to join this conversation.
No description provided.