ExternalProject: Respect TLS_VERIFY for git update step

Git config options can be passed to git clone before or after the "clone" keyword. If specified before, the config setting is only applied to that command invocation. It acts to override the value in the global or project defaults (the latter doesn't exist for clone). When the config setting is passed after the "clone" keyword, it is saved into the cloned repository's config and will persist for later git operations. The existing implementation expected the latter behavior, but put the config setting before the "clone" keyword and therefore the setting was not persisting to the git update step. Move it to after the "clone" keyword so that it will persist. The submodule handling is different. There is no support for doing a "git submodule update" with a "sticky" config setting. Instead, you have to pass the setting with all such calls. The existing implementation was doing this for the clone step, but not the git update step. Add the config setting there as well so that submodules also effectively have the sslVerify setting persist to the update step too. Fixes: #18948
2026-01-11 16:32:14 -06:00 · 2023-05-28 20:24:05 +10:00
parent 8fdce89f70
commit dcbc36572f
3 changed files with 48 additions and 13 deletions
--- a/Modules/ExternalProject.cmake
+++ b/Modules/ExternalProject.cmake
@@ -1333,6 +1333,8 @@ function(_ep_write_gitclone_script
    message(FATAL_ERROR "Tag for git checkout should not be empty.")
  endif()

+  set(git_submodules_config_options "")
+
  if(GIT_VERSION_STRING VERSION_LESS 2.20 OR
     2.21 VERSION_LESS_EQUAL GIT_VERSION_STRING)
    set(git_clone_options "--no-checkout")
@@ -1355,18 +1357,26 @@ function(_ep_write_gitclone_script
  if(NOT ${git_remote_name} STREQUAL "origin")
    list(APPEND git_clone_options --origin \"${git_remote_name}\")
  endif()
+  if(NOT "x${tls_verify}" STREQUAL "x")
+    # The clone config option is sticky, it will apply to all subsequent git
+    # update operations. The submodules config option is not sticky, because
+    # git doesn't provide any way to do that. Thus, we will have to pass the
+    # same config option in the update step too for submodules, but not for
+    # the main git repo.
+    if(tls_verify)
+      # Default git behavior is "true", but the user might have changed the
+      # global default to "false". Since TLS_VERIFY was given, ensure we honor
+      # the specified setting regardless of what the global default might be.
+      list(APPEND git_clone_options -c http.sslVerify=true)
+      set(git_submodules_config_options -c http.sslVerify=true)
+    else()
+      list(APPEND git_clone_options -c http.sslVerify=false)
+      set(git_submodules_config_options -c http.sslVerify=false)
+    endif()
+  endif()

  string (REPLACE ";" " " git_clone_options "${git_clone_options}")

-  set(git_options)
-  # disable cert checking if explicitly told not to do it
-  if(NOT "x${tls_verify}" STREQUAL "x" AND NOT tls_verify)
-    set(git_options
-      -c http.sslVerify=false
-    )
-  endif()
-  string (REPLACE ";" " " git_options "${git_options}")
-
  configure_file(
    ${CMAKE_CURRENT_FUNCTION_LIST_DIR}/ExternalProject/gitclone.cmake.in
    ${script_filename}
@@ -1409,6 +1419,7 @@ function(_ep_write_gitupdate_script
  git_repository
  work_dir
  git_update_strategy
+  tls_verify
 )

  if("${git_tag}" STREQUAL "")
@@ -1423,6 +1434,22 @@ function(_ep_write_gitupdate_script
    list(APPEND git_stash_save_options --all)
  endif()

+  set(git_submodules_config_options "")
+  if(NOT "x${tls_verify}" STREQUAL "x")
+    # The submodules config option is not sticky, git doesn't provide any way
+    # to do that. We have to pass this config option for the update step too.
+    # We don't need to set it for the non-submodule update because it gets
+    # recorded as part of the clone operation in a sticky manner.
+    if(tls_verify)
+      # Default git behavior is "true", but the user might have changed the
+      # global default to "false". Since TLS_VERIFY was given, ensure we honor
+      # the specified setting regardless of what the global default might be.
+      set(git_submodules_config_options -c http.sslVerify=true)
+    else()
+      set(git_submodules_config_options -c http.sslVerify=false)
+    endif()
+  endif()
+
  configure_file(
      "${CMAKE_CURRENT_FUNCTION_LIST_DIR}/ExternalProject/gitupdate.cmake.in"
      "${script_filename}"
@@ -3361,6 +3388,11 @@ function(_ep_add_update_command name)

    _ep_get_git_submodules_recurse(git_submodules_recurse)

+    get_property(tls_verify TARGET ${name} PROPERTY _EP_TLS_VERIFY)
+    if("x${tls_verify}" STREQUAL "x" AND DEFINED CMAKE_TLS_VERIFY)
+      set(tls_verify "${CMAKE_TLS_VERIFY}")
+    endif()
+
    set(update_script "${tmp_dir}/${name}-gitupdate.cmake")
    list(APPEND file_deps ${update_script})
    _ep_write_gitupdate_script(
@@ -3374,6 +3406,7 @@ function(_ep_add_update_command name)
      "${git_repository}"
      "${work_dir}"
      "${git_update_strategy}"
+      "${tls_verify}"
    )
    set(cmd              ${CMAKE_COMMAND} -Dcan_fetch=YES -P ${update_script})
    set(cmd_disconnected ${CMAKE_COMMAND} -Dcan_fetch=NO  -P ${update_script})
--- a/Modules/ExternalProject/gitclone.cmake.in
+++ b/Modules/ExternalProject/gitclone.cmake.in
@@ -25,7 +25,7 @@ set(error_code 1)
 set(number_of_tries 0)
 while(error_code AND number_of_tries LESS 3)
  execute_process(
-    COMMAND "@git_EXECUTABLE@" @git_options@
+    COMMAND "@git_EXECUTABLE@"
            clone @git_clone_options@ "@git_repository@" "@src_name@"
    WORKING_DIRECTORY "@work_dir@"
    RESULT_VARIABLE error_code
@@ -40,7 +40,7 @@ if(error_code)
 endif()

 execute_process(
-  COMMAND "@git_EXECUTABLE@" @git_options@
+  COMMAND "@git_EXECUTABLE@"
          checkout "@git_tag@" @git_checkout_explicit--@
  WORKING_DIRECTORY "@work_dir@/@src_name@"
  RESULT_VARIABLE error_code
@@ -52,7 +52,7 @@ endif()
 set(init_submodules @init_submodules@)
 if(init_submodules)
  execute_process(
-    COMMAND "@git_EXECUTABLE@" @git_options@
+    COMMAND "@git_EXECUTABLE@" @git_submodules_config_options@
            submodule update @git_submodules_recurse@ --init @git_submodules@
    WORKING_DIRECTORY "@work_dir@/@src_name@"
    RESULT_VARIABLE error_code
--- a/Modules/ExternalProject/gitupdate.cmake.in
+++ b/Modules/ExternalProject/gitupdate.cmake.in
@@ -283,7 +283,9 @@ endif()
 set(init_submodules "@init_submodules@")
 if(init_submodules)
  execute_process(
-    COMMAND "@git_EXECUTABLE@" --git-dir=.git submodule update @git_submodules_recurse@ --init @git_submodules@
+    COMMAND "@git_EXECUTABLE@"
+            --git-dir=.git @git_submodules_config_options@
+            submodule update @git_submodules_recurse@ --init @git_submodules@
    WORKING_DIRECTORY "@work_dir@"
    COMMAND_ERROR_IS_FATAL ANY
  )