fix passing CA files into builtins:fetchurl sandbox

This patch has been manually adapted from 14dc84ed03 Tested with: $ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }' warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=' this derivation will be built: /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'... error: … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com' error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77) error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1 Now returns: nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }' this derivation will be built: /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'... error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv': specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= got: sha256-5xXEhGtnRdopaUTqaz2M1o2NE7ovhU0SjcSOPwntqwY= (cherry picked from commit 1fbdf409524bb350b8614f3d95067cb9ba3c57f2) (cherry picked from commit 9b818f14dd) # Conflicts: # src/libstore/build/local-derivation-goal.cc # src/libstore/builtins/fetchurl.cc
2024-11-24 15:52:30 +00:00 · 2024-09-28 16:54:39 +02:00 · 2024-09-28 16:54:39 +02:00 · e393ee3fdb
commit e393ee3fdb
parent 52166fd12e
2 changed files with 18 additions and 0 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -1748,11 +1748,19 @@ void LocalDerivationGoal::runChild()
        if (drv->isBuiltin() && drv->builder == "builtin:fetchurl") {
           try {
               netrcData = readFile(settings.netrcFile);
 <<<<<<< HEAD
           } catch (SysError &) { }
           try {
               caFileData = readFile(settings.caFile);
           } catch (SysError &) { }
 =======
           } catch (SystemError &) { }
           try {
               caFileData = readFile(settings.caFile);
           } catch (SystemError &) { }
 >>>>>>> 9b818f14d (fix passing CA files into builtins:fetchurl sandbox)
        }
 #if __linux__
--- a/src/libstore/builtins/fetchurl.cc
+++ b/src/libstore/builtins/fetchurl.cc
@ -21,6 +21,16 @@ void builtinFetchurl(
    settings.caFile = "ca-certificates.crt";
    writeFile(settings.caFile, caFileData, 0600);
 <<<<<<< HEAD
 =======
    auto out = get(drv.outputs, "out");
    if (!out)
        throw Error("'builtin:fetchurl' requires an 'out' output");
    if (!(drv.type().isFixed() || drv.type().isImpure()))
        throw Error("'builtin:fetchurl' must be a fixed-output or impure derivation");
 >>>>>>> 9b818f14d (fix passing CA files into builtins:fetchurl sandbox)
    auto getAttr = [&](const std::string & name) {
        auto i = drv.env.find(name);