Pin installer-downloader to LE root for version metadata

mullvad · Feb 27, 2025 · 258803f · 258803f
1 parent 647ff1d
commit 258803f
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/installer-downloader/Cargo.toml b/installer-downloader/Cargo.toml
@@ -20,6 +20,7 @@ anyhow = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "fs"] }
 async-trait = "0.1"
 rand = { version = "0.8.5" }
+reqwest = { version = "0.12.9", default-features = false, features = ["rustls-tls"] }
 serde = { workspace = true, features = ["derive"] }
 
 

diff --git a/installer-downloader/src/controller.rs b/installer-downloader/src/controller.rs
@@ -14,6 +14,8 @@ use rand::seq::SliceRandom;
 
 use tokio::sync::{mpsc, oneshot};
 
+const PINNED_CERTIFICATE: &[u8] = include_bytes!("../../mullvad-api/le_root_cert.pem");
+
 /// Actions handled by an async worker task in [handle_action_messages].
 enum TaskMessage {
     SetVersionInfo(VersionInfo),
@@ -39,9 +41,10 @@ pub fn initialize_controller<T: AppDelegate + 'static>(delegate: &mut T) {
     const STAGEMOLE_PUBKEY: &str = include_str!("../../mullvad-update/stagemole-pubkey");
     let verifying_key =
         mullvad_update::format::key::VerifyingKey::from_hex(STAGEMOLE_PUBKEY).expect("valid key");
+    let cert = reqwest::Certificate::from_pem(PINNED_CERTIFICATE).expect("invalid cert");
     let version_provider = HttpVersionInfoProvider {
         url: get_metadata_url(),
-        pinned_certificate: None,
+        pinned_certificate: Some(cert),
         verifying_key,
     };