fetchurl: revert enabling TLS verification when NIX_SSL_CERT_FILE

This reverts commit f829274128.
This commit is contained in:
Thomas Gerbet 2024-10-26 13:58:19 +02:00
parent f251273e41
commit 31ab653f7e
2 changed files with 4 additions and 11 deletions

View File

@ -19,8 +19,7 @@ curl=(
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion" --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
) )
# Default fallback value defined in pkgs/build-support/fetchurl/default.nix if ! [ -f "$SSL_CERT_FILE" ]; then
if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
curl+=(--insecure) curl+=(--insecure)
fi fi

View File

@ -220,26 +220,20 @@ stdenvNoCC.mkDerivation (
# New-style output content requirements. # New-style output content requirements.
inherit (hash_) outputHashAlgo outputHash; inherit (hash_) outputHashAlgo outputHash;
# Disable TLS verification only when we know the hash and no credentials are
# needed to access the resource
SSL_CERT_FILE = SSL_CERT_FILE =
let if
nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
in
if nixSSLCertFile != "" then
nixSSLCertFile
else if
( (
hash_.outputHash == "" hash_.outputHash == ""
|| hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha256
|| hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeSha512
|| hash_.outputHash == lib.fakeHash || hash_.outputHash == lib.fakeHash
# Make sure we always enforce TLS verification when credentials
# are needed to access the resource
|| netrcPhase != null || netrcPhase != null
) )
then then
"${cacert}/etc/ssl/certs/ca-bundle.crt" "${cacert}/etc/ssl/certs/ca-bundle.crt"
else else
# Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
"/no-cert-file.crt"; "/no-cert-file.crt";
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat"; outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";