[Backport release-24.05]: qdigidoc: fix TSL loading, package bumps (#357559)

pkgs/development/libraries/libdigidocpp/default.nix

@@ -1,31 +1,51 @@
-{ lib, stdenv, fetchurl, fetchpatch, cmake, minizip, pcsclite, opensc, openssl
-, xercesc, xml-security-c, pkg-config, xsd, zlib, xalanc, xxd }:
+{ lib
+, stdenv
+, fetchurl
+, cmake
+, libtool
+, libxml2
+, minizip
+, pcsclite
+, opensc
+, openssl
+, xercesc
+, pkg-config
+, xsd
+, zlib
+, xmlsec
+, xxd
+}:
 
 stdenv.mkDerivation rec {
-  version = "3.17.1";
+  version = "4.0.0";
   pname = "libdigidocpp";
 
   src = fetchurl {
-     url = "https://github.com/open-eid/libdigidocpp/releases/download/v${version}/libdigidocpp-${version}.tar.gz";
-     hash = "sha256-3qDsIAOiWMZDj2zLE+Os7BoeCPeC4JQ6p8jSBd7PdV0=";
+    url = "https://github.com/open-eid/libdigidocpp/releases/download/v${version}/libdigidocpp-${version}.tar.gz";
+    hash = "sha256-0G7cjJEgLJ24SwHRznKJ18cRY0m50lr6HXstfbYq9f8=";
   };
 
   nativeBuildInputs = [ cmake pkg-config xxd ];
 
   buildInputs = [
-    minizip pcsclite opensc openssl xercesc
-    xml-security-c xsd zlib xalanc
+    libxml2
+    minizip
+    pcsclite
+    opensc
+    openssl
+    xercesc
+    xsd
+    zlib
+    xmlsec
   ];
 
   outputs = [ "out" "lib" "dev" "bin" ];
 
-  # Cherry-pick of
-  # https://github.com/open-eid/libdigidocpp/commit/2b5db855ba3ceb9bae1f11589ea1aea22bb7595a
-  # Fixes https://github.com/NixOS/nixpkgs/issues/334397
-  postPatch = ''
-    substituteInPlace CMakeLists.txt \
-      --replace-fail 'TSA_URL "http://dd-at.ria.ee/tsa"' 'TSA_URL "https://eid-dd.ria.ee/ts"'
-  '';
+  # This wants to link to ${CMAKE_DL_LIBS} (ltdl), and there doesn't seem to be
+  # a way to tell CMake where this should be pulled from.
+  # A cleaner fix would probably be to patch cmake to use
+  # `-L${libtool.lib}/lib -ltdl` for `CMAKE_DL_LIBS`, but that's a world rebuild.
+  env.NIX_LDFLAGS = "-L${libtool.lib}/lib";
 
   # libdigidocpp.so's `PKCS11Signer::PKCS11Signer()` dlopen()s "opensc-pkcs11.so"
   # itself, so add OpenSC to its DT_RUNPATH after the fixupPhase shrinked it.

pkgs/tools/security/qdigidoc/default.nix

@@ -18,34 +18,28 @@
 
 mkDerivation rec {
   pname = "qdigidoc";
-  version = "4.5.1";
+  version = "4.6.0";
 
   src = fetchurl {
     url =
       "https://github.com/open-eid/DigiDoc4-Client/releases/download/v${version}/qdigidoc4-${version}.tar.gz";
-    hash = "sha256-grhSuexp5yd/s8h5AdmdSLBmQY85l9HKZ15oTTvC6PI=";
-  };
-
-  tsl = fetchurl {
-    url = "https://ec.europa.eu/tools/lotl/eu-lotl-pivot-300.xml";
-    sha256 = "1cikz36w9phgczcqnwk4k3mx3kk919wy2327jksmfa4cjfjq4a8d";
+    hash = "sha256-szFLY9PpZMMYhfV5joueShfu92YDVmcCC3MOWIOAKVg=";
   };
 
   patches = [
-    # https://github.com/open-eid/DigiDoc4-Client/pull/1251
     (fetchpatch {
-      url = "https://github.com/open-eid/DigiDoc4-Client/commit/30281d14c5fb5582832eafbc254b56f8d685227d.patch";
-      hash = "sha256-nv23NbPUogOhS8No3SMIrAcPChl+d1HkxnePpCKIoUw=";
+      url = "https://github.com/open-eid/DigiDoc4-Client/commit/bb324d18f0452c2ab1b360ff6c42bb7f11ea60d7.patch";
+      hash = "sha256-JpaU9inupSDsZKhHk+sp5g+oUynVFxR7lshjTXoFIbU=";
     })
+
+    # Regularly update this with what's on https://src.fedoraproject.org/rpms/qdigidoc/blob/rawhide/f/sandbox.patch
+    # This prevents attempts to download TSL lists inside the build sandbox.
+    # The list files are regularly updated (get new signatures), though this also happens at application runtime.
+    ./sandbox.patch
   ];
 
   nativeBuildInputs = [ cmake gettext pkg-config qttools ];
 
-  postPatch = ''
-    substituteInPlace client/CMakeLists.txt \
-      --replace $\{TSL_URL} file://${tsl}
-  '';
-
   buildInputs = [
     flatbuffers
     libdigidocpp