mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 08:23:09 +00:00
fetchurl: enable TLS verification when NIX_SSL_CERT_FILE
is set
This is a follow-up to a169553f7e
.
In most cases it should allow the TLS verification to be enabled.
It also makes the behavior of `fetchurl` more consistent with other fetchers
like `fetchgit`.
Ideally we would always fallback on `cacert` but I am not sure how to build
`cacert` during bootstrap without making an unmaintainable mess.
This commit is contained in:
parent
96fd503b3a
commit
f829274128
@ -19,7 +19,8 @@ curl=(
|
|||||||
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
|
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
|
||||||
)
|
)
|
||||||
|
|
||||||
if ! [ -f "$SSL_CERT_FILE" ]; then
|
# Default fallback value defined in pkgs/build-support/fetchurl/default.nix
|
||||||
|
if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
|
||||||
curl+=(--insecure)
|
curl+=(--insecure)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -220,20 +220,26 @@ stdenvNoCC.mkDerivation (
|
|||||||
# New-style output content requirements.
|
# New-style output content requirements.
|
||||||
inherit (hash_) outputHashAlgo outputHash;
|
inherit (hash_) outputHashAlgo outputHash;
|
||||||
|
|
||||||
# Disable TLS verification only when we know the hash and no credentials are
|
|
||||||
# needed to access the resource
|
|
||||||
SSL_CERT_FILE =
|
SSL_CERT_FILE =
|
||||||
if
|
let
|
||||||
|
nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
|
||||||
|
in
|
||||||
|
if nixSSLCertFile != "" then
|
||||||
|
nixSSLCertFile
|
||||||
|
else if
|
||||||
(
|
(
|
||||||
hash_.outputHash == ""
|
hash_.outputHash == ""
|
||||||
|| hash_.outputHash == lib.fakeSha256
|
|| hash_.outputHash == lib.fakeSha256
|
||||||
|| hash_.outputHash == lib.fakeSha512
|
|| hash_.outputHash == lib.fakeSha512
|
||||||
|| hash_.outputHash == lib.fakeHash
|
|| hash_.outputHash == lib.fakeHash
|
||||||
|
# Make sure we always enforce TLS verification when credentials
|
||||||
|
# are needed to access the resource
|
||||||
|| netrcPhase != null
|
|| netrcPhase != null
|
||||||
)
|
)
|
||||||
then
|
then
|
||||||
"${cacert}/etc/ssl/certs/ca-bundle.crt"
|
"${cacert}/etc/ssl/certs/ca-bundle.crt"
|
||||||
else
|
else
|
||||||
|
# Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
|
||||||
"/no-cert-file.crt";
|
"/no-cert-file.crt";
|
||||||
|
|
||||||
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
|
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
|
||||||
|
Loading…
Reference in New Issue
Block a user