fetchurl: revert enabling TLS verification when NIX_SSL_CERT_FILE (#351420)

This commit is contained in:
Philip Taron 2024-10-26 07:14:16 -07:00 committed by GitHub
commit 71de335722
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 11 deletions

View File

@ -19,8 +19,7 @@ curl=(
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
)
# Default fallback value defined in pkgs/build-support/fetchurl/default.nix
if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
if ! [ -f "$SSL_CERT_FILE" ]; then
curl+=(--insecure)
fi

View File

@ -220,26 +220,20 @@ stdenvNoCC.mkDerivation (
# New-style output content requirements.
inherit (hash_) outputHashAlgo outputHash;
# Disable TLS verification only when we know the hash and no credentials are
# needed to access the resource
SSL_CERT_FILE =
let
nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
in
if nixSSLCertFile != "" then
nixSSLCertFile
else if
if
(
hash_.outputHash == ""
|| hash_.outputHash == lib.fakeSha256
|| hash_.outputHash == lib.fakeSha512
|| hash_.outputHash == lib.fakeHash
# Make sure we always enforce TLS verification when credentials
# are needed to access the resource
|| netrcPhase != null
)
then
"${cacert}/etc/ssl/certs/ca-bundle.crt"
else
# Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
"/no-cert-file.crt";
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";