Fingerprint detection failing with new GMail certs

[mathstuf]

General informations

• system/distribution (with version): Fedora 29
• offlineimap version (offlineimap -V): offlineimap-7.2.1-1.fc29.noarch
• Python version: 2.7.16
• server name or domain: gmail
• CLI options: -o -u syslog

Gmail is now returning multiple-fingerprinted certificates. Offlineimap should iterate over them and verify if any given fingerprint is present in cert_fingerprint.

Configuration file offlineimaprc

[general]
accounts = kitware
maxsyncaccounts = 3
metadata = ~/.local/share/offlineimap/metadata
ui = basic
pythonfile = ~/.config/offlineimap/config.py

[mbnames]
enabled = yes
filename = ~/.local/share/mutt/muttrc.mailboxes
header = "mailboxes "
peritem = "+%(accountname)s/%(foldername)s"
sep = " "
incremental = no

[Account kitware]
localrepository = local-kitware
remoterepository = kitware
autorefresh = 60
postsynchook = notmuch new
synclabels = yes
labelsheader = X-Labels

[Repository local-kitware]
type = GmailMaildir
localfolders = ~/.local/share/mail/kitware
sep = /

[Repository kitware]
type = IMAP
createfolders = False
newmail_hook = notify('kitware')
remotehost = imap.gmail.com
remoteport = 993
remoteuser = ben.boeckel@kitware.com
remotepass = XXX
ssl = yes
ssl_version = tls1_2
tls_level = tls_secure
sslcacertfile = ~/.local/share/offlineimap/ssl/gmail.crt
cert_fingerprint = ae6e3722977f8e2c50538494eabc26f1e996bdfd,af06d14ca981aded8f25e1e692c29361b5ca4136,63c14c50a0686dfb48ba1aea627f8c30d6dfcdbf,de236b9e3f23400d4b1533552b104fb279db8450,0039b1db68cd41acb90bb4660882067b5abe3d35,09c46f8f87f1ee39d5dd74ed51246230d1108485,85870c29f54ad4777b4c86ae052dbaf0619eb539,aa5792751c19731c98c2fa5a6e6881506962dd89,d8a102663f1e366e783307dcc2472765391ed30e,e1cdf83ca52ebc64d4d6d462c6dfa856ee0fc1b8,a4ce3a49d31e6ad83940b56f2f2d1bb8faf5a2f9,74bc9a1da603fd9099a8c505e983c84cff570604,02c2a51445ab4207445bbab64282e00e9857a046704d5900e217ea605d66c4b740f651ca447d9b01005e4b72032c53f5d208b9e55b2fab631bb

pythonfile (if any)

import subprocess

def notify(account):
    def _notify():
        subprocess.check_call([
                'notify-send',
                '--urgency=normal',
                '--expire-time=20',
                '--app-name=offlineimap',
                '--icon=emblem-mail',
                '--category=mail',
                'New mail',
                'New mail in %s' % account,
            ])

    return _notify

Logs, error

May 14 14:58:51 rotor eventd[1262]: creating error event: Server SSL fingerprint(s) '[('openssl_sha512', '02c2a51445ab4207445bbab64282e00e9857a046704d5900e217ea605d66c4b740f651ca447d9b01005e4b72032c5
3f5d208b9e55b2fab631bbf749b80c29a72'), ('openssl_sha384', '4a782a962071208f5fe7c27189b507350bbe3395b949bac54c74f11978fc55ae082d8285b26c4ddf3521fbcfbef91f87'), ('openssl_sha256', '024583cdabc7bd0d5b14
8063d34a6034a505f7edcb84d209fbbca451052ba1eb'), ('openssl_sha224', '394a3d7a68dccb6b41852ae4df5822d2b14211c185a7177cc115e798'), ('openssl_sha1', '8c779c20b79371a72cd7418bb1524ddc0e5abab6')]' for host
name 'imap.gmail.com' does not match configured fingerprint(s) ['ae6e3722977f8e2c50538494eabc26f1e996bdfd', 'af06d14ca981aded8f25e1e692c29361b5ca4136', '63c14c50a0686dfb48ba1aea627f8c30d6dfcdbf', 'de
236b9e3f23400d4b1533552b104fb279db8450', '0039b1db68cd41acb90bb4660882067b5abe3d35', '09c46f8f87f1ee39d5dd74ed51246230d1108485', '85870c29f54ad4777b4c86ae052dbaf0619eb539', 'aa5792751c19731c98c2fa5a6
e6881506962dd89', 'd8a102663f1e366e783307dcc2472765391ed30e', 'e1cdf83ca52ebc64d4d6d462c6dfa856ee0fc1b8', 'a4ce3a49d31e6ad83940b56f2f2d1bb8faf5a2f9', '74bc9a1da603fd9099a8c505e983c84cff570604', '02c2
a51445ab4207445bbab64282e00e9857a046704d5900e217ea605d66c4b740f651ca447d9b01005e4b72032c53f5d208b9e55b2fab631bb'].  Please verify and set 'cert_fingerprint' accordingly if not set yet.

Steps to reproduce the error

• Verify certificate fingerprints from gmail
• Get a multi-fingerprint cert on the round robin

[mathstuf]

Gah. sha512 hashes are wider than my terminal. Copy/pasting from the error log truncated the new hash.