Google Code changing host fingerprint causes hg pull to fail

I'm using Google code and Mercurial for a small project javaclass-rb. I cloned the repository using HTTPS. My .hg/hgrc contains

[paths]
default = https://javaclass-rb.googlecode.com/hg/

From time to time Google Code has a different fingerprint (most likely to the clustering of service). When I want to pull (with hg 1.8.4), I get

E:\Develop\JavaClass>hg pull -u
abort: invalid certificate for javaclass-rb.googlecode.com with fingerprint 28:92:6b:9b:40:10:cc:0e:4c:16:a4:78:7f:bb:1a:8d:d4:d1:d3:27

Then I have to change my ~/.hgrc file and update the hostfingerprintssection to contain the new fingerprint:

[hostfingerprints]
javaclass-rb.googlecode.com = 28:92:6b:9b:40:10:cc:0e:4c:16:a4:78:7f:bb:1a:8d:d4:d1:d3:27

Th开发者_如何学Cen everything works fine again, until next time. Now this gets annoying as I did it ten times already, approx. once a month, and have to do it on several machines (desktop, laptop, work pc etc.)...

34:4b:90:e7:e3:36:81:0d:52:1f:10:c0:4c:98:66:90:4a:9e:05:c9
6e:a8:09:6a:42:60:d7:81:f7:04:b8:0f:5d:1e:ac:b3:58:db:7e:da
89:6d:fb:e5:4a:7e:72:91:db:0b:ee:72:9f:60:a7:29:65:fd:e1:10
da:b3:df:aa:55:73:ac:65:04:70:78:8e:ed:dd:a9:be:40:a8:64:81
a9:be:c0:4a:da:1c:eb:4c:31:9d:78:27:48:99:f4:9c:9a:e8:53:c8
ed:19:7c:b9:a3:48:27:93:72:74:43:db:26:40:af:e0:7a:90:1c:97
28:92:6b:9b:40:10:cc:0e:4c:16:a4:78:7f:bb:1a:8d:d4:d1:d3:27

Do you know a way to configure Mercurial to ignore the fingerprints or some other way I get rid of this annoyance?

Answer

tonfa led me on the right track. Mercurial is checking also OS certificates. Originally I had to fall back to fingerprints because Googlecode certiicate is not valid for subdomains:

The certificate is only valid for the following names:
  *.googlecode.com , *.u.googlecode.com , googlecode.com , *.codespot.com , *.googlesource.com , googlesource.com  

1) I removed the fingerprints from .hgrc, then the top domain javaclass-rb.googlecode.com worked again, because it is matched by *.googlecode.com.

2) Subdomains have to be cloned with another name, see Google support.

Ignoring the fingerprints and not verifying the signature is a very bad idea.

You should follow the instructions at https://www.mercurial-scm.org/wiki/CACertificates (basically a recent version of TortoiseHg should be already correctly configured).

Try the command hg pull --insecure.