dgit: Drop support for old attempts at cert/key pinning

I don't think anyone is using these.  We are going to do something
different to try fo fix #932570.

When #790093 is fixed we may need something like archive-query-tls-key
(or even exactly that) but we would have to reimplement it for
WWW::Curl anyway.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/dgit b/dgit
index ca6fe56ab840fe9342f6a1235904a3ac3ee1fc66..00f86c66098c39779728c89fd00c8a16e0087cb7 100755 (executable)
--- a/dgit
+++ b/dgit
@@ -1197,27 +1197,11 @@ sub archive_api_query_cmd ($) {
     my @cmd = (@curl, qw(-sS));
     my $url = access_cfg('archive-query-url');
     if ($url =~ m#^https://([-.0-9a-z]+)/#) {
-       my $host = $1;
-       my $keys = access_cfg('archive-query-tls-key','RETURN-UNDEF') //'';
-       foreach my $key (split /\:/, $keys) {
-           $key =~ s/\%HOST\%/$host/g;
-           if (!stat $key) {
-               fail "for $url: stat $key: $!" unless $!==ENOENT;
-               next;
-           }
-           fail f_ "config requested specific TLS key but do not know".
-                   " how to get curl to use exactly that EE key (%s)",
-                   $key;
-#          push @cmd, "--cacert", $key, "--capath", "/dev/enoent";
-#           # Sadly the above line does not work because of changes
-#           # to gnutls.   The real fix for #790093 may involve
-#           # new curl options.
-           last;
+       foreach my $k (qw(archive-query-tls-key
+                         archive-query-tls-curl-ca-args)) {
+           fail "config option $k is obsolete and no longer supported"
+               if defined access_cfg($k, 'RETURN-UNDEF');
        }
-       # Fixing #790093 properly will involve providing a value
-       # for this on clients.
-       my $kargs = access_cfg('archive-query-tls-curl-ca-args','RETURN-UNDEF');
-       push @cmd, split / /, $kargs if defined $kargs;
     }
     push @cmd, $url.$subpath;
     return @cmd;