From ffd0539eba473348f752fa8ab1f1f55388634f8f Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Fri, 5 Jun 2015 13:00:52 -0700 Subject: [PATCH] cacert: store ca-bundle.crt in $out/etc/ssl/certs instead of $out --- nixos/modules/security/ca.nix | 4 ++-- pkgs/applications/graphics/shotwell/default.nix | 2 +- pkgs/applications/networking/browsers/vimb/default.nix | 2 +- .../applications/networking/browsers/vimprobable2/default.nix | 2 +- pkgs/applications/networking/cluster/panamax/api/default.nix | 4 ++-- .../networking/instant-messengers/fuze/default.nix | 2 +- .../instant-messengers/telepathy/gabble/default.nix | 2 +- pkgs/applications/networking/irc/weechat/default.nix | 2 +- pkgs/applications/version-management/bazaar/default.nix | 2 +- pkgs/applications/version-management/mercurial/default.nix | 2 +- pkgs/build-support/fetchgit/default.nix | 2 +- pkgs/build-support/rust/fetchcargo.nix | 2 +- pkgs/data/misc/cacert/default.nix | 4 ++-- pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix | 2 +- pkgs/desktops/gnome-3/3.16/core/rest/default.nix | 2 +- pkgs/development/compilers/icedtea/default.nix | 2 +- pkgs/development/compilers/openjdk/default.nix | 2 +- pkgs/development/compilers/openjdk/openjdk8.nix | 2 +- pkgs/development/interpreters/elixir/default.nix | 2 +- pkgs/development/libraries/glib-networking/default.nix | 2 +- pkgs/development/lisp-modules/lisp-packages.nix | 4 ++-- pkgs/servers/mail/opensmtpd/default.nix | 2 +- pkgs/tools/networking/aria2/default.nix | 2 +- pkgs/tools/security/prey/default.nix | 2 +- 24 files changed, 28 insertions(+), 28 deletions(-) diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 595b9476fa5f..31caab97a65f 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -22,7 +22,7 @@ in security.pki.certificateFiles = mkOption { type = types.listOf types.path; default = []; - example = literalExample "[ \"\${pkgs.cacert}/ca-bundle.crt\" ]"; + example = literalExample "[ \"\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt\" ]"; description = '' A list of files containing trusted root certificates in PEM format. These are concatenated to form @@ -53,7 +53,7 @@ in config = { - security.pki.certificateFiles = [ "${pkgs.cacert}/ca-bundle.crt" ]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; diff --git a/pkgs/applications/graphics/shotwell/default.nix b/pkgs/applications/graphics/shotwell/default.nix index 27dde61a08c2..94131cbf4ff7 100644 --- a/pkgs/applications/graphics/shotwell/default.nix +++ b/pkgs/applications/graphics/shotwell/default.nix @@ -13,7 +13,7 @@ let sha256 = "0fmg7fq5fx0jg3ryk71kwdkspsvj42acxy9imk7vznkqj29a9zqn"; }; - configureFlags = "--with-ca-certificates=${cacert}/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; buildInputs = [ pkgconfig glib libsoup ]; }; diff --git a/pkgs/applications/networking/browsers/vimb/default.nix b/pkgs/applications/networking/browsers/vimb/default.nix index 24a43d95ca9b..3222e87ac650 100644 --- a/pkgs/applications/networking/browsers/vimb/default.nix +++ b/pkgs/applications/networking/browsers/vimb/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { # Nixos default ca bundle patchPhase = '' - sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/ca-bundle.crt, src/config.def.h + sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, src/config.def.h ''; buildInputs = [ makeWrapper gtk libsoup pkgconfig webkit gsettings_desktop_schemas ]; diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index 7ab5c397abe5..ad5f8aa46912 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { # Nixos default ca bundle patchPhase = '' - sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/ca-bundle.crt, config.h + sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, config.h ''; buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; diff --git a/pkgs/applications/networking/cluster/panamax/api/default.nix b/pkgs/applications/networking/cluster/panamax/api/default.nix index dae0315a31b2..a212ab5347c5 100644 --- a/pkgs/applications/networking/cluster/panamax/api/default.nix +++ b/pkgs/applications/networking/cluster/panamax/api/default.nix @@ -62,8 +62,8 @@ stdenv.mkDerivation rec { --prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \ --prefix "HOME" : "$out/share/panamax-api" \ --prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \ - --prefix "OPENSSL_X509_CERT_FILE" : "${cacert}/ca-bundle.crt" \ - --prefix "SSL_CERT_FILE" : "${cacert}/ca-bundle.crt" \ + --prefix "OPENSSL_X509_CERT_FILE" : "${cacert}/etc/ssl/certs/ca-bundle.crt" \ + --prefix "SSL_CERT_FILE" : "${cacert}/etc/ssl/certs/ca-bundle.crt" \ --prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}" ''; diff --git a/pkgs/applications/networking/instant-messengers/fuze/default.nix b/pkgs/applications/networking/instant-messengers/fuze/default.nix index 77fe37481d87..6b85e107d06c 100644 --- a/pkgs/applications/networking/instant-messengers/fuze/default.nix +++ b/pkgs/applications/networking/instant-messengers/fuze/default.nix @@ -6,7 +6,7 @@ assert stdenv.system == "x86_64-linux"; let curl_custom = stdenv.lib.overrideDerivation curl (args: { - configureFlags = args.configureFlags ++ ["--with-ca-bundle=${cacert}/ca-bundle.crt"] ; + configureFlags = args.configureFlags ++ ["--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt"] ; } ); in stdenv.mkDerivation { diff --git a/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix b/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix index b7cebd47cd71..a74885b2ce30 100644 --- a/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix +++ b/pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 dbus_glib sqlite libsoup libnice telepathy_glib gnutls ] ++ stdenv.lib.optional doCheck dbus_daemon; - configureFlags = "--with-ca-certificates=${cacert}/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; enableParallelBuilding = true; doCheck = true; diff --git a/pkgs/applications/networking/irc/weechat/default.nix b/pkgs/applications/networking/irc/weechat/default.nix index bbad15879820..fd200af0a42e 100644 --- a/pkgs/applications/networking/irc/weechat/default.nix +++ b/pkgs/applications/networking/irc/weechat/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { cacert cmake ] ++ extraBuildInputs; - NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=${cacert}/ca-bundle.crt"; + NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"; postInstall = '' NIX_PYTHONPATH="$out/lib/${python.libPrefix}/site-packages" diff --git a/pkgs/applications/version-management/bazaar/default.nix b/pkgs/applications/version-management/bazaar/default.nix index ad6f0c50a379..c3b238eeb0aa 100644 --- a/pkgs/applications/version-management/bazaar/default.nix +++ b/pkgs/applications/version-management/bazaar/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { patches = [ ./add_certificates.patch ]; postPatch = '' substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \ - --subst-var-by "certPath" "${cacert}/ca-bundle.crt" + --subst-var-by "certPath" "${cacert}/etc/ssl/certs/ca-bundle.crt" ''; diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix index dee2abd2b1f3..2409e8e2240a 100644 --- a/pkgs/applications/version-management/mercurial/default.nix +++ b/pkgs/applications/version-management/mercurial/default.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation { mkdir -p $out/etc/mercurial cat >> $out/etc/mercurial/hgrc << EOF [web] - cacerts = ${cacert}/ca-bundle.crt + cacerts = ${cacert}/etc/ssl/certs/ca-bundle.crt EOF # copy hgweb.cgi to allow use in apache diff --git a/pkgs/build-support/fetchgit/default.nix b/pkgs/build-support/fetchgit/default.nix index 7259fa8ff4c5..8ddb6a85d0c2 100644 --- a/pkgs/build-support/fetchgit/default.nix +++ b/pkgs/build-support/fetchgit/default.nix @@ -54,7 +54,7 @@ stdenv.mkDerivation { inherit url rev leaveDotGit fetchSubmodules deepClone branchName; - GIT_SSL_CAINFO = "${cacert}/ca-bundle.crt"; + GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt"; impureEnvVars = [ # We borrow these environment variables from the caller to allow diff --git a/pkgs/build-support/rust/fetchcargo.nix b/pkgs/build-support/rust/fetchcargo.nix index 1f5166d5c434..5dd80bd4aa57 100644 --- a/pkgs/build-support/rust/fetchcargo.nix +++ b/pkgs/build-support/rust/fetchcargo.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { outputHashMode = "recursive"; outputHash = sha256; - SSL_CERT_FILE = "${cacert}/ca-bundle.crt"; + SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; impureEnvVars = [ "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy" ]; preferLocalBuild = true; diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index d743fc47b946..7bcb499aab4b 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -16,8 +16,8 @@ stdenv.mkDerivation rec { ''; installPhase = '' - mkdir -pv $out - cp -v ca-bundle.crt $out + mkdir -pv $out/etc/ssl/certs + cp -v ca-bundle.crt $out/etc/ssl/certs ''; meta = with stdenv.lib; { diff --git a/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix b/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix index 7afa2800105f..4ed0f6c521ba 100644 --- a/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix +++ b/pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix @@ -22,7 +22,7 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig intltool docbook_xsl_ns docbook_xsl ]; configureFlags = [ - "--with-ca-certificates=${cacert}/ca-bundle.crt" # NixOS hardcoded path + "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt" # NixOS hardcoded path "--with-pkcs11-config=$$out/etc/pkcs11/" # installation directories "--with-pkcs11-modules=$$out/lib/pkcs11/" ]; diff --git a/pkgs/desktops/gnome-3/3.16/core/rest/default.nix b/pkgs/desktops/gnome-3/3.16/core/rest/default.nix index 9dbd46946c00..ee22cd97f6e0 100644 --- a/pkgs/desktops/gnome-3/3.16/core/rest/default.nix +++ b/pkgs/desktops/gnome-3/3.16/core/rest/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib libsoup gobjectIntrospection]; - configureFlags = "--with-ca-certificates=${cacert}/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; meta = with stdenv.lib; { platforms = platforms.linux; diff --git a/pkgs/development/compilers/icedtea/default.nix b/pkgs/development/compilers/icedtea/default.nix index fe7ec5851557..8a96d1c380dd 100644 --- a/pkgs/development/compilers/icedtea/default.nix +++ b/pkgs/development/compilers/icedtea/default.nix @@ -135,7 +135,7 @@ let # Generate certificates. pushd $jre/lib/icedtea/jre/lib/security rm cacerts - perl ${./generate-cacerts.pl} $jre/lib/icedtea/jre/bin/keytool ${cacert}/ca-bundle.crt + perl ${./generate-cacerts.pl} $jre/lib/icedtea/jre/bin/keytool ${cacert}/etc/ssl/certs/ca-bundle.crt popd ln -s $out/lib/icedtea/bin $out/bin diff --git a/pkgs/development/compilers/openjdk/default.nix b/pkgs/development/compilers/openjdk/default.nix index d0ca85af0e0e..beab781c88da 100644 --- a/pkgs/development/compilers/openjdk/default.nix +++ b/pkgs/development/compilers/openjdk/default.nix @@ -142,7 +142,7 @@ let # Generate certificates. pushd $jre/lib/openjdk/jre/lib/security rm cacerts - perl ${./generate-cacerts.pl} $jre/lib/openjdk/jre/bin/keytool ${cacert}/ca-bundle.crt + perl ${./generate-cacerts.pl} $jre/lib/openjdk/jre/bin/keytool ${cacert}/etc/ssl/certs/ca-bundle.crt popd ln -s $out/lib/openjdk/bin $out/bin diff --git a/pkgs/development/compilers/openjdk/openjdk8.nix b/pkgs/development/compilers/openjdk/openjdk8.nix index c27808661613..132f0f31b873 100644 --- a/pkgs/development/compilers/openjdk/openjdk8.nix +++ b/pkgs/development/compilers/openjdk/openjdk8.nix @@ -136,7 +136,7 @@ let # Generate certificates. pushd $jre/lib/openjdk/jre/lib/security rm cacerts - perl ${./generate-cacerts.pl} $jre/lib/openjdk/jre/bin/keytool ${cacert}/ca-bundle.crt + perl ${./generate-cacerts.pl} $jre/lib/openjdk/jre/bin/keytool ${cacert}/etc/ssl/certs/ca-bundle.crt popd ln -s $out/lib/openjdk/bin $out/bin diff --git a/pkgs/development/interpreters/elixir/default.nix b/pkgs/development/interpreters/elixir/default.nix index 9d12d42cee88..6bb8c0565d54 100644 --- a/pkgs/development/interpreters/elixir/default.nix +++ b/pkgs/development/interpreters/elixir/default.nix @@ -33,7 +33,7 @@ stdenv.mkDerivation { if [ $b == "mix" ]; then continue; fi wrapProgram $f \ --prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \ - --set CURL_CA_BUNDLE "${cacert}/ca-bundle.crt" + --set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt" done ''; diff --git a/pkgs/development/libraries/glib-networking/default.nix b/pkgs/development/libraries/glib-networking/default.nix index 79c8ac031832..79b31b1365b7 100644 --- a/pkgs/development/libraries/glib-networking/default.nix +++ b/pkgs/development/libraries/glib-networking/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { sha256 = "8f8a340d3ba99bfdef38b653da929652ea6640e27969d29f7ac51fbbe11a4346"; }; - configureFlags = "--with-ca-certificates=${cacert}/ca-bundle.crt"; + configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt"; preBuild = '' sed -e "s@${glib}/lib/gio/modules@$out/lib/gio/modules@g" -i $(find . -name Makefile) diff --git a/pkgs/development/lisp-modules/lisp-packages.nix b/pkgs/development/lisp-modules/lisp-packages.nix index 32f5928cccd4..5e2bdd0cc549 100644 --- a/pkgs/development/lisp-modules/lisp-packages.nix +++ b/pkgs/development/lisp-modules/lisp-packages.nix @@ -40,7 +40,7 @@ let lispPackages = rec { url = "https://common-lisp.net/project/iterate/darcs/iterate"; sha256 = "0gm05s3laiivsqgqjfj1rkz83c2c0jyn4msfgbv6sz42znjpam25"; context = ./iterate.darcs-context; - }) (x: {SSL_CERT_FILE=pkgs.cacert + "/ca-bundle.crt";})); + }) (x: {SSL_CERT_FILE=pkgs.cacert + "/etc/ssl/certs/ca-bundle.crt";})); overrides = x: { configurePhase="buildPhase(){ true; }"; }; @@ -314,7 +314,7 @@ let lispPackages = rec { src = (pkgs.lib.overrideDerivation (pkgs.fetchdarcs { url = ''http://common-lisp.net/project/trivial-utf-8/darcs/trivial-utf-8/''; sha256 = "1jz27gz8gvqdmvp3k9bxschs6d5b3qgk94qp2bj6nv1d0jc3m1l1"; - }) (x: {SSL_CERT_FILE=pkgs.cacert + "/ca-bundle.crt";})); + }) (x: {SSL_CERT_FILE=pkgs.cacert + "/etc/ssl/certs/ca-bundle.crt";})); }; cl-fuse-meta-fs = buildLispPackage rec { diff --git a/pkgs/servers/mail/opensmtpd/default.nix b/pkgs/servers/mail/opensmtpd/default.nix index ab8ec59ca8cb..810012fb60ad 100644 --- a/pkgs/servers/mail/opensmtpd/default.nix +++ b/pkgs/servers/mail/opensmtpd/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { "--with-sock-dir=/run" "--with-privsep-user=smtpd" "--with-queue-user=smtpq" - "--with-ca-file=${cacert}/ca-bundle.crt" + "--with-ca-file=${cacert}/etc/ssl/certs/ca-bundle.crt" ]; installFlags = [ diff --git a/pkgs/tools/networking/aria2/default.nix b/pkgs/tools/networking/aria2/default.nix index df972a4287bd..8d7f4541cade 100644 --- a/pkgs/tools/networking/aria2/default.nix +++ b/pkgs/tools/networking/aria2/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ cacert ]; - configureFlags = [ "--with-ca-bundle=${cacert}/ca-bundle.crt" ]; + configureFlags = [ "--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt" ]; meta = with stdenv.lib; { homepage = http://aria2.sourceforge.net/; diff --git a/pkgs/tools/security/prey/default.nix b/pkgs/tools/security/prey/default.nix index c0951760f4fd..d04f48c0f313 100644 --- a/pkgs/tools/security/prey/default.nix +++ b/pkgs/tools/security/prey/default.nix @@ -36,7 +36,7 @@ in stdenv.mkDerivation rec { cp -R ${modulesSrc}/* $out/modules/ wrapProgram "$out/prey.sh" \ --prefix PATH ":" "${xawtv}/bin:${imagemagick}/bin:${curl}/bin:${scrot}/bin:${inetutils}/bin:${coreutils}/bin" \ - --set CURL_CA_BUNDLE "${cacert}/ca-bundle.crt" + --set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt" ''; meta = with stdenv.lib; {