From 0d250dd0211e3941de51e4b612b6259718fb111a Mon Sep 17 00:00:00 2001 From: Brad King Date: Fri, 29 Mar 2024 12:25:00 -0400 Subject: [PATCH] ExternalProject: Honor CMAKE_TLS_VERIFY environment variable Issue: #23608 --- Help/envvar/CMAKE_TLS_VERIFY.rst | 4 ++++ Modules/ExternalProject.cmake | 28 +++++++++++++++++++--------- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/Help/envvar/CMAKE_TLS_VERIFY.rst b/Help/envvar/CMAKE_TLS_VERIFY.rst index a0ed323494..9571cb80e4 100644 --- a/Help/envvar/CMAKE_TLS_VERIFY.rst +++ b/Help/envvar/CMAKE_TLS_VERIFY.rst @@ -9,3 +9,7 @@ Specify the default value for the :command:`file(DOWNLOAD)` and :command:`file(UPLOAD)` commands' ``TLS_VERIFY`` option. This environment variable is used if the option is not given and the :variable:`CMAKE_TLS_VERIFY` cmake variable is not set. + +This variable is also used by the :module:`ExternalProject` and +:module:`FetchContent` modules for internal calls to +:command:`file(DOWNLOAD)` and ``git clone``. diff --git a/Modules/ExternalProject.cmake b/Modules/ExternalProject.cmake index 847ea928b8..3323b18fb3 100644 --- a/Modules/ExternalProject.cmake +++ b/Modules/ExternalProject.cmake @@ -243,22 +243,28 @@ URL ``TLS_VERIFY `` Specifies whether certificate verification should be performed for ``https://`` URLs. If this option is not provided, the value of the - :variable:`CMAKE_TLS_VERIFY` variable will be used instead (see - :command:`file(DOWNLOAD)`). - If that is also not set, certificate verification will not be performed. + :variable:`CMAKE_TLS_VERIFY` variable or the :envvar:`CMAKE_TLS_VERIFY` + environment variable will be used instead (see :command:`file(DOWNLOAD)`). + If neither of those is set, certificate verification will not be performed. In situations where ``URL_HASH`` cannot be provided, this option can be an alternative verification measure. This option also applies to ``git clone`` invocations, although the - default behavior is different. If neither the ``TLS_VERIFY`` option - or :variable:`CMAKE_TLS_VERIFY` variable is specified, the behavior - will be determined by git's default (true) or a ``http.sslVerify`` - git config option the user may have set at a global level. + default behavior is different. If none of the ``TLS_VERIFY`` option, + :variable:`CMAKE_TLS_VERIFY` variable, or :envvar:`CMAKE_TLS_VERIFY` + environment variable is specified, the behavior will be determined by + git's default (true) or a ``http.sslVerify`` git config option the + user may have set at a global level. .. versionchanged:: 3.6 Previously this option did not apply to ``git clone`` invocations. + .. versionchanged:: 3.30 + + Previously the :envvar:`CMAKE_TLS_VERIFY` environment variable + was not checked. + ``TLS_CAINFO `` Specify a custom certificate authority file to use if ``TLS_VERIFY`` is enabled. If this option is not specified, the value of the @@ -1397,8 +1403,12 @@ endfunction() function(_ep_get_tls_verify name tls_verify_var) get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY) - if("x${tls_verify}" STREQUAL "x" AND DEFINED CMAKE_TLS_VERIFY) - set(tls_verify "${CMAKE_TLS_VERIFY}") + if("x${tls_verify}" STREQUAL "x") + if(NOT "x${CMAKE_TLS_VERIFY}" STREQUAL "x") + set(tls_verify "${CMAKE_TLS_VERIFY}") + elseif(NOT "x$ENV{CMAKE_TLS_VERIFY}" STREQUAL "x") + set(tls_verify "$ENV{CMAKE_TLS_VERIFY}") + endif() endif() set("${tls_verify_var}" "${tls_verify}" PARENT_SCOPE) endfunction()