fetchurl: enable TLS verification when `NIX_SSL_CERT_FILE` is set (#350222)

pyrox.dev / nixpkgs

fork atom

lol

fork atom

authored by philiptaron.tngl.sh and committed by

GitHub 1 year ago db44da13 30ad4bb0

+11 -4

2 changed files

expand all

pkgs

build-support

fetchurl

builder.sh

default.nix

+2 -1

pkgs/build-support/fetchurl/builder.sh

··· 19 19 --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion" 20 20 ) 21 21 22 - if ! [ -f "$SSL_CERT_FILE" ]; then 22 + # Default fallback value defined in pkgs/build-support/fetchurl/default.nix 23 + if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then 23 24 curl+=(--insecure) 24 25 fi 25 26

+9 -3

pkgs/build-support/fetchurl/default.nix

··· 220 220 # New-style output content requirements. 221 221 inherit (hash_) outputHashAlgo outputHash; 222 222 223 - # Disable TLS verification only when we know the hash and no credentials are 224 - # needed to access the resource 225 223 SSL_CERT_FILE = 226 - if 224 + let 225 + nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE"; 226 + in 227 + if nixSSLCertFile != "" then 228 + nixSSLCertFile 229 + else if 227 230 ( 228 231 hash_.outputHash == "" 229 232 || hash_.outputHash == lib.fakeSha256 230 233 || hash_.outputHash == lib.fakeSha512 231 234 || hash_.outputHash == lib.fakeHash 235 + # Make sure we always enforce TLS verification when credentials 236 + # are needed to access the resource 232 237 || netrcPhase != null 233 238 ) 234 239 then 235 240 "${cacert}/etc/ssl/certs/ca-bundle.crt" 236 241 else 242 + # Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh 237 243 "/no-cert-file.crt"; 238 244 239 245 outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";