Am 16.03.26 um 16:30 schrieb Mark Hegreberg:
On 2026-03-15 10:41, nibo wrote:
My goal is to have a custom repository that can only be used by me. But https URLs do work. So if I could specify a TLS certificate that is signed by a certificate authority certificate that I control I could use a regular https URL but still be the only one with the required TLS certificate to connect. From what I saw libalpm uses libcurl. libcurl has options like `CURLOPT_SSLCERT` and `CURLOPT_SSLKEY` that can be set with `curl_easy_setopt`. Those two options could be controlled through the pacman configuration file. Maybe I'm misunderstanding, but I don't think this would provide what you're looking for. it's trivial to access any site where you don't trust the CA. either bypass the error, or copy cert into your trusted cert store(this is pretty easy to do from any website, by getting the public chain from the initial request/handshake)
TLS is great for e2e encryption, and for authenticity, but it's not really functional as a authentication/authorization control. All I would have to do is `curl -k https://your.private.repo` and I'd be able to see and download any packages you had
let me know if I'm not understanding what you're trying to do.
Mark
I believe they mean to use TLS client authentication, where not only the server has a certificate, but the client too and the Server decides whether it will accept the certificate the client has. And in that case it is functional as authentication, if the server for example only accepts client certificates of a certain private CA (chain) or has a fingerprint list or something like that. Search Keywords: "TLS client authentication", "TLS client certificates", "Mutual TLS", "mTLS" -- regards, brainpower