From f829274128e2feb3a0e238ed90a6c0a8b1664cf9 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Mon, 21 Oct 2024 13:33:27 +0200
Subject: [PATCH] fetchurl: enable TLS verification when `NIX_SSL_CERT_FILE` is
 set

This is a follow-up to a169553f7e3b61b7390106d658dbc718e98ac1a1.
In most cases it should allow the TLS verification to be enabled.
It also makes the behavior of `fetchurl` more consistent with other fetchers
like `fetchgit`.

Ideally we would always fallback on `cacert` but I am not sure how to build
`cacert` during bootstrap without making an unmaintainable mess.
---
 pkgs/build-support/fetchurl/builder.sh  |  3 ++-
 pkgs/build-support/fetchurl/default.nix | 12 +++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/pkgs/build-support/fetchurl/builder.sh b/pkgs/build-support/fetchurl/builder.sh
index a82728ef1025..52d4155f4604 100644
--- a/pkgs/build-support/fetchurl/builder.sh
+++ b/pkgs/build-support/fetchurl/builder.sh
@@ -19,7 +19,8 @@ curl=(
     --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
 )
 
-if ! [ -f "$SSL_CERT_FILE" ]; then
+# Default fallback value defined in pkgs/build-support/fetchurl/default.nix
+if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
     curl+=(--insecure)
 fi
 
diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix
index e4a70743334b..ccfc02d47c54 100644
--- a/pkgs/build-support/fetchurl/default.nix
+++ b/pkgs/build-support/fetchurl/default.nix
@@ -220,20 +220,26 @@ stdenvNoCC.mkDerivation (
     # New-style output content requirements.
     inherit (hash_) outputHashAlgo outputHash;
 
-    # Disable TLS verification only when we know the hash and no credentials are
-    # needed to access the resource
     SSL_CERT_FILE =
-      if
+      let
+        nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
+      in
+      if nixSSLCertFile != "" then
+        nixSSLCertFile
+      else if
         (
           hash_.outputHash == ""
           || hash_.outputHash == lib.fakeSha256
           || hash_.outputHash == lib.fakeSha512
           || hash_.outputHash == lib.fakeHash
+          # Make sure we always enforce TLS verification when credentials
+          # are needed to access the resource
           || netrcPhase != null
         )
       then
         "${cacert}/etc/ssl/certs/ca-bundle.crt"
       else
+        # Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
         "/no-cert-file.crt";
 
     outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";