Automatically set http.systemCertificates: false as a workaround

With the setting on (the default), Electron will pull in the expired DST Root CA X3 certificate from the OS, and prefer it over the non-expired root, and thus claim the server's certificate has expired even though it has not. See SpaceManiac/SpacemanDMM#298 and microsoft/vscode#136787
SpaceManiac · Nov 25, 2021 · eb60c30 · eb60c30
1 parent 913e965
commit eb60c30
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/package.json b/package.json
@@ -120,6 +120,10 @@
 					"type": "boolean",
 					"default": null,
 					"description": "Whether the Object Tree pane should be loaded."
+				},
+				"dreammaker.httpSystemCertificatesHack": {
+					"type": "boolean",
+					"default": null
 				}
 			}
 		},

diff --git a/src/extension.ts b/src/extension.ts
@@ -383,6 +383,19 @@ async function prompt_for_server_command(context: ExtensionContext, message: str
 	return path;
 }
 
+async function cert_config_hack(): Promise<void> {
+	// See https://github.com/SpaceManiac/SpacemanDMM/issues/298
+	// and https://github.com/microsoft/vscode/issues/136787
+	if (workspace.getConfiguration('http').get<boolean>('systemCertificates')) {
+		// Set a sentinel so that we know that we set it rather than the user, and thus we can revert it later.
+		await workspace.getConfiguration('dreammaker').update('httpSystemCertificatesHack', true, ConfigurationTarget.Global);
+		await workspace.getConfiguration('http').update('systemCertificates', false, ConfigurationTarget.Global);
+		// Setting docs say that a window reload is required for it to take effect.
+		await vscode.commands.executeCommand('workbench.action.reloadWindow');
+	}
+	// Already tried applying the hack and it didn't work, so give up.
+}
+
 async function auto_update(context: ExtensionContext, platform: string, arch: string, out_file: string, hash: string | null): Promise<string | undefined> {
 	if (!await config.auto_update()) {
 		return "Auto-update disabled.";
@@ -398,6 +411,10 @@ async function auto_update(context: ExtensionContext, platform: string, arch: st
 		res = await fetch(url);
 	} catch (e) {
 		// network error
+		if (`${e}`.includes('certificate has expired')) {
+			// Reloads the window if it succeeds, returns if it doesn't.
+			await cert_config_hack();
+		}
 		return `${e}.`;
 	}
 	switch (res.status) {