cacert: extract certdata.txt from main package

This allows users to specify custom CAs without needing to download the
entirety of the NSS source code - just certdata.txt, which should end up
in cache.nixos.org.
This commit is contained in:
Luke Granger-Brown 2021-10-08 01:20:51 +00:00
parent 906f44cef3
commit 91e4957081
2 changed files with 40 additions and 19 deletions

View file

@ -2,12 +2,14 @@
, stdenv
, writeText
, fetchurl
, nss
, buildcatrust
, blacklist ? []
, extraCertificateFiles ? []
, extraCertificateStrings ? []
# Used by update.sh
, nssOverride ? null
# Used for tests only
, runCommand
, cacert
@ -17,24 +19,49 @@
let
blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
srcVersion = "3.71";
version = if nssOverride != null then nssOverride.version else srcVersion;
meta = with lib; {
homepage = "https://curl.haxx.se/docs/caextract.html";
description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
platforms = platforms.all;
maintainers = with maintainers; [ andir fpletz lukegb ];
license = licenses.mpl20;
};
certdata = stdenv.mkDerivation {
pname = "nss-cacert-certdata";
inherit version;
src = if nssOverride != null then nssOverride.src else fetchurl {
url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r";
};
dontBuild = true;
installPhase = ''
runHook preInstall
mkdir $out
cp nss/lib/ckfw/builtins/certdata.txt $out
runHook postInstall
'';
inherit meta;
};
in
stdenv.mkDerivation rec {
pname = "nss-cacert";
version = "3.71";
inherit version;
src = fetchurl {
url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r";
};
src = certdata;
outputs = [ "out" "unbundled" "p11kit" ];
nativeBuildInputs = [ buildcatrust ];
configurePhase = ''
ln -s nss/lib/ckfw/builtins/certdata.txt
'';
buildPhase = ''
mkdir unbundled
buildcatrust \
@ -176,11 +203,5 @@ stdenv.mkDerivation rec {
};
};
meta = with lib; {
homepage = "https://curl.haxx.se/docs/caextract.html";
description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
platforms = platforms.all;
maintainers = with maintainers; [ andir fpletz lukegb ];
license = licenses.mpl20;
};
inherit meta;
}

View file

@ -28,7 +28,7 @@ BASEDIR="$(dirname "$0")/../../../.."
CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.overrideAttrs (_: { inherit (nss_pkg) src version; })).out")
PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out")
# Check the hash of the etc subfolder
# We can't check the entire output as that contains the nix-support folder
@ -38,5 +38,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then
NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .)
update-source-version cacert "$NSS_VERSION"
update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
fi