cacert: extract certdata.txt from main package
This allows users to specify custom CAs without needing to download the entirety of the NSS source code - just certdata.txt, which should end up in cache.nixos.org.
This commit is contained in:
parent
906f44cef3
commit
91e4957081
2 changed files with 40 additions and 19 deletions
|
@ -2,12 +2,14 @@
|
|||
, stdenv
|
||||
, writeText
|
||||
, fetchurl
|
||||
, nss
|
||||
, buildcatrust
|
||||
, blacklist ? []
|
||||
, extraCertificateFiles ? []
|
||||
, extraCertificateStrings ? []
|
||||
|
||||
# Used by update.sh
|
||||
, nssOverride ? null
|
||||
|
||||
# Used for tests only
|
||||
, runCommand
|
||||
, cacert
|
||||
|
@ -17,24 +19,49 @@
|
|||
let
|
||||
blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
|
||||
extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
|
||||
|
||||
srcVersion = "3.71";
|
||||
version = if nssOverride != null then nssOverride.version else srcVersion;
|
||||
meta = with lib; {
|
||||
homepage = "https://curl.haxx.se/docs/caextract.html";
|
||||
description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
|
||||
platforms = platforms.all;
|
||||
maintainers = with maintainers; [ andir fpletz lukegb ];
|
||||
license = licenses.mpl20;
|
||||
};
|
||||
certdata = stdenv.mkDerivation {
|
||||
pname = "nss-cacert-certdata";
|
||||
inherit version;
|
||||
|
||||
src = if nssOverride != null then nssOverride.src else fetchurl {
|
||||
url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
|
||||
sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r";
|
||||
};
|
||||
|
||||
dontBuild = true;
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir $out
|
||||
cp nss/lib/ckfw/builtins/certdata.txt $out
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
inherit meta;
|
||||
};
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "nss-cacert";
|
||||
version = "3.71";
|
||||
inherit version;
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
|
||||
sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r";
|
||||
};
|
||||
src = certdata;
|
||||
|
||||
outputs = [ "out" "unbundled" "p11kit" ];
|
||||
|
||||
nativeBuildInputs = [ buildcatrust ];
|
||||
|
||||
configurePhase = ''
|
||||
ln -s nss/lib/ckfw/builtins/certdata.txt
|
||||
'';
|
||||
|
||||
buildPhase = ''
|
||||
mkdir unbundled
|
||||
buildcatrust \
|
||||
|
@ -176,11 +203,5 @@ stdenv.mkDerivation rec {
|
|||
};
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://curl.haxx.se/docs/caextract.html";
|
||||
description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
|
||||
platforms = platforms.all;
|
||||
maintainers = with maintainers; [ andir fpletz lukegb ];
|
||||
license = licenses.mpl20;
|
||||
};
|
||||
inherit meta;
|
||||
}
|
||||
|
|
|
@ -28,7 +28,7 @@ BASEDIR="$(dirname "$0")/../../../.."
|
|||
|
||||
|
||||
CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
|
||||
PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.overrideAttrs (_: { inherit (nss_pkg) src version; })).out")
|
||||
PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out")
|
||||
|
||||
# Check the hash of the etc subfolder
|
||||
# We can't check the entire output as that contains the nix-support folder
|
||||
|
@ -38,5 +38,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
|
|||
|
||||
if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then
|
||||
NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .)
|
||||
update-source-version cacert "$NSS_VERSION"
|
||||
update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
|
||||
fi
|
||||
|
|
Loading…
Reference in a new issue