Merge branch 'pin-meta-tool-cert'

dlon · dlon · commit a14eca4428a3 · 2025-03-07T14:30:30.000+01:00
diff --git a/mullvad-update/meta/src/platform.rs b/mullvad-update/meta/src/platform.rs
@@ -10,6 +10,7 @@ use std::{
     fmt,
     path::{Path, PathBuf},
     str::FromStr,
+    sync::LazyLock,
 };
 use tokio::{fs, io};
 use vec1::vec1;
@@ -23,6 +24,12 @@ use crate::{
 /// Actual JSON files should be stored at `<base url>/<platform>.json`.
 const META_REPOSITORY_URL: &str = "https://releases.stagemole.eu/desktop/metadata/";
 
+/// TLS certificate to pin to for `meta pull`.
+static PINNED_CERTIFICATE: LazyLock<reqwest::Certificate> = LazyLock::new(|| {
+    const CERT_BYTES: &[u8] = include_bytes!("../../../mullvad-api/le_root_cert.pem");
+    reqwest::Certificate::from_pem(CERT_BYTES).expect("invalid cert")
+});
+
 #[derive(Clone, Copy)]
 pub enum Platform {
     Windows,
@@ -126,8 +133,7 @@ impl Platform {
             key::VerifyingKey::from_hex(crate::VERIFYING_PUBKEY).expect("Invalid pubkey");
 
         let version_provider = HttpVersionInfoProvider {
-            // TODO: pin
-            pinned_certificate: None,
+            pinned_certificate: Some(PINNED_CERTIFICATE.clone()),
             url,
             verifying_keys: vec1![verifying_key],
         };
