fetchurl: enable TLS verification when NIX_SSL_CERT_FILE is set

This is a follow-up to a169553f7e.
In most cases it should allow the TLS verification to be enabled.
It also makes the behavior of `fetchurl` more consistent with other fetchers
like `fetchgit`.

Ideally we would always fallback on `cacert` but I am not sure how to build
`cacert` during bootstrap without making an unmaintainable mess.
This commit is contained in:
Thomas Gerbet 2024-10-21 13:33:27 +02:00
parent 96fd503b3a
commit f829274128
2 changed files with 11 additions and 4 deletions

View File

@ -19,7 +19,8 @@ curl=(
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion" --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
) )
if ! [ -f "$SSL_CERT_FILE" ]; then # Default fallback value defined in pkgs/build-support/fetchurl/default.nix
if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
curl+=(--insecure) curl+=(--insecure)
fi fi

View File

@ -220,20 +220,26 @@ stdenvNoCC.mkDerivation (
# New-style output content requirements. # New-style output content requirements.
inherit (hash_) outputHashAlgo outputHash; inherit (hash_) outputHashAlgo outputHash;
# Disable TLS verification only when we know the hash and no credentials are
# needed to access the resource
SSL_CERT_FILE = SSL_CERT_FILE =
if let
nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
in
if nixSSLCertFile != "" then
nixSSLCertFile
else if
( (
hash_.outputHash == "" hash_.outputHash == ""
|| hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha256
|| hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeSha512
|| hash_.outputHash == lib.fakeHash || hash_.outputHash == lib.fakeHash
# Make sure we always enforce TLS verification when credentials
# are needed to access the resource
|| netrcPhase != null || netrcPhase != null
) )
then then
"${cacert}/etc/ssl/certs/ca-bundle.crt" "${cacert}/etc/ssl/certs/ca-bundle.crt"
else else
# Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
"/no-cert-file.crt"; "/no-cert-file.crt";
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat"; outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";