nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-27 17:33:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

firefox: Improve detecting signing requirements

Browse Source 
Firefox 61 started to enforce signatures for add-ons and since
commit d031843a1e, we get an evaluation
error that recommends the user to switch to Firefox ESR.

This isn't an option for everyone and as I also pointed out in the pull
request[1] introducing the above commit, I've been building Firefox like
this:

  let
    firefoxNoSigning = firefox-unwrapped.overrideAttrs (lib.const {
      MOZ_REQUIRE_SIGNING = false;
    });
  in wrapFirefox firefoxNoSigning {
    nixExtensions = ...;
  }

However, this only works after manually modifying nixpkgs (or copy &
paste wrapper.nix elsewhere) every time I want to have a new Firefox
version. Of course, this gets annoying and tedious after a while, so
this motivated me to properly fix this to not only check for an ESR
version but also check the value of MOZ_REQUIRE_SIGNING.

Note that I'm using toString here to check for the value because there
are several ways (false, null, "", ...) to set the environment variable
to an empty string and toString makes sure that it really is the desired
behaviour. I specifically checked the Firefox source and also tested
this with multiple values and only building with MOZ_REQUIRE_SIGNING
set to an empty string seems to work (no "0", "false" or other
variants).

Additionally, there is another method to allow unsigned add-ons, which
is by using the --with-unsigned-addon-scopes configure option[2].
Unfortunately, this does not work with nixExtensions because we don't
have (or want) a central directory where those add-ons reside.

Given that nixExtensions disallows manually installing add-ons, setting
MOZ_REQUIRE_SIGNING to false should be safe in this case.

[1]: https://github.com/NixOS/nixpkgs/pull/133504
[2]: https://bugs.archlinux.org/task/63075

Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig 2022-06-21 01:51:31 +02:00
parent e70a58eb4f
commit 9744ff74ad
No known key found for this signature in database
GPG Key ID: 684089CE67EBB691
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkgs/applications/networking/browsers/firefox/wrapper.nix
View File

@ -97,12 +97,15 @@ let
nameArray = builtins.map(a: a.name) (if usesNixExtensions then nixExtensions else []);
requiresSigning = browser ? MOZ_REQUIRE_SIGNING
-> toString browser.MOZ_REQUIRE_SIGNING != "";
# Check that every extension has a unqiue .name attribute
# and an extid attribute
extensions = if nameArray != (lib.unique nameArray) then
throw "Firefox addon name needs to be unique"
else if ! (lib.hasSuffix "esr" browser.name) then
throw "Nix addons are only supported in Firefox ESR"
else if requiresSigning && !lib.hasSuffix "esr" browser.name then
throw "Nix addons are only supported without signature enforcement (eg. Firefox ESR)"
else builtins.map (a:
if ! (builtins.hasAttr "extid" a) then
throw "nixExtensions has an invalid entry. Missing extid attribute. Please use fetchfirefoxaddon"