qdigidoc: fix TSL loading

These are what's used to regularly push new certificate fingerprints to clients, so we need to keep the original URL configured. Use the same approach as fedora, ship an "initial" TSL as a patch, and also patch out the downloading part during the build phase. This seems to reliably get ID Card and SmartID signing to work again. Fixes #334397. Fixes #307927. (cherry picked from commit 0e29f00608)
2025-02-16 09:03:42 +00:00 · 2024-11-20 01:32:06 +02:00 · 2024-11-20 01:32:06 +02:00 · ba65002b0b
commit ba65002b0b
parent 9ad7b04914
2 changed files with 11128 additions and 11 deletions
--- a/pkgs/tools/security/qdigidoc/default.nix
+++ b/pkgs/tools/security/qdigidoc/default.nix
@ -31,21 +31,15 @@ mkDerivation rec {
      url = "https://github.com/open-eid/DigiDoc4-Client/commit/bb324d18f0452c2ab1b360ff6c42bb7f11ea60d7.patch";
      hash = "sha256-JpaU9inupSDsZKhHk+sp5g+oUynVFxR7lshjTXoFIbU=";
    })
+
+    # Regularly update this with what's on https://src.fedoraproject.org/rpms/qdigidoc/blob/rawhide/f/sandbox.patch
+    # This prevents attempts to download TSL lists inside the build sandbox.
+    # The list files are regularly updated (get new signatures), though this also happens at application runtime.
+    ./sandbox.patch
  ];

-  # Check https://dss.nowina.lu/tl-info, "Pivots loaded" section
-  tsl = fetchurl {
-    url = "https://ec.europa.eu/tools/lotl/eu-lotl-pivot-341.xml";
-    hash = "sha256-/TI8qYxXzourjGFPBpsQzi9Depi7lLQ2JaV+FyP0FtE=";
-  };
-
  nativeBuildInputs = [ cmake gettext pkg-config qttools ];

-  postPatch = ''
-    substituteInPlace client/CMakeLists.txt \
-      --replace $\{TSL_URL} file://${tsl}
-  '';
-
  buildInputs = [
    flatbuffers
    libdigidocpp
--- a/pkgs/tools/security/qdigidoc/sandbox.patch
+++ b/pkgs/tools/security/qdigidoc/sandbox.patch