From d9eae340bfca35483b912c21d86fad9d9a9c960e Mon Sep 17 00:00:00 2001
From: Siyuan Miao <i@xswan.net>
Date: Sun, 13 Apr 2025 03:13:35 +0200
Subject: [PATCH] fix(ota): validate root certificate when downloading update

---
 ota.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/ota.go b/ota.go
index a5da772..0559978 100644
--- a/ota.go
+++ b/ota.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
+	"crypto/tls"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
@@ -16,6 +17,7 @@ import (
 	"time"
 
 	"github.com/Masterminds/semver/v3"
+	"github.com/gwatts/rootcerts"
 	"github.com/rs/zerolog"
 )
 
@@ -127,10 +129,14 @@ func downloadFile(ctx context.Context, path string, url string, downloadProgress
 		return fmt.Errorf("error creating request: %w", err)
 	}
 
-	// TODO: set a separate timeout for the download but keep the TLS handshake short
-	// use Transport here will cause CA certificate validation failure so we temporarily removed it
 	client := http.Client{
 		Timeout: 10 * time.Minute,
+		Transport: &http.Transport{
+			TLSHandshakeTimeout: 30 * time.Second,
+			TLSClientConfig: &tls.Config{
+				RootCAs: rootcerts.ServerCertPool(),
+			},
+		},
 	}
 
 	resp, err := client.Do(req)