From db670c5fe35ffb13e863dd5560a8a1d9fd780663 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Thu, 25 Apr 2019 19:13:40 +0200
Subject: coverity: help wget to complete coverity's certificate chain

---
 travis-ci/tools/get-coverity.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/travis-ci/tools/get-coverity.sh b/travis-ci/tools/get-coverity.sh
index b7e907a417..c5f622b5a4 100755
--- a/travis-ci/tools/get-coverity.sh
+++ b/travis-ci/tools/get-coverity.sh
@@ -22,8 +22,14 @@ sudo apt-get update && sudo apt-get -y install wget
 if [ ! -d $TOOL_BASE ]; then
     # Download Coverity Scan Analysis Tool
     if [ ! -e $TOOL_ARCHIVE ]; then
-	echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m"
-	wget -nv -O $TOOL_ARCHIVE $TOOL_URL --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=$COVERITY_SCAN_TOKEN"
+        echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m"
+        # According to https://www.ssllabs.com/ssltest/analyze.html?d=scan.coverity.com&latest,
+        # the certificate chain is incomplete. Let's complete it manually by downloading the
+        # missing piece (which is far from ideal but better than --no-check-certificate). This should
+        # be removed once it ends up in /etc/ssl/certs/ca-certificates.crt officially.
+        cp /etc/ssl/certs/ca-certificates.crt .
+        wget -nv -O - https://entrust.com/root-certificates/entrust_l1k.cer | tee -a ./ca-certificates.crt
+        wget --ca-certificate ./ca-certificates.crt -nv -O $TOOL_ARCHIVE $TOOL_URL --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=$COVERITY_SCAN_TOKEN"
     fi
 
     # Extract Coverity Scan Analysis Tool
-- 
cgit v1.2.1