diff options
author | hacker1024 <hacker1024@users.sourceforge.net> | 2023-08-27 23:11:24 +1000 |
---|---|---|
committer | hacker1024 <hacker1024@users.sourceforge.net> | 2023-08-29 13:12:01 +0200 |
commit | 41bbc2c311f10086fcb9f149d06eb300ab7e2a7d (patch) | |
tree | 2e5abf07b5aa003ab97cd22d4f1aaf76c8314e78 /pkgs/build-support | |
parent | 40e82051b94f52a60473e2d0fef010bd1f402184 (diff) |
flutter: Supply CA bundle in sandbox
Diffstat (limited to 'pkgs/build-support')
-rw-r--r-- | pkgs/build-support/dart/fetch-dart-deps/default.nix | 8 | ||||
-rw-r--r-- | pkgs/build-support/flutter/default.nix | 21 |
2 files changed, 28 insertions, 1 deletions
diff --git a/pkgs/build-support/dart/fetch-dart-deps/default.nix b/pkgs/build-support/dart/fetch-dart-deps/default.nix index e523b60797eb1..d6920a35e2046 100644 --- a/pkgs/build-support/dart/fetch-dart-deps/default.nix +++ b/pkgs/build-support/dart/fetch-dart-deps/default.nix @@ -79,7 +79,13 @@ let installPhase = '' _pub_get() { - ${pubGetScript} + ( + # Dart does not respect SSL_CERT_FILE. + # https://github.com/dart-lang/sdk/issues/48506 + export DART_VM_OPTIONS="--root-certs-file=$SSL_CERT_FILE" + + ${pubGetScript} + ) } # so we can use lock, diff yaml diff --git a/pkgs/build-support/flutter/default.nix b/pkgs/build-support/flutter/default.nix index 8d31482900a87..06f6e2770be9f 100644 --- a/pkgs/build-support/flutter/default.nix +++ b/pkgs/build-support/flutter/default.nix @@ -1,6 +1,7 @@ { lib , callPackage , stdenvNoCC +, runCommand , makeWrapper , llvmPackages_13 , cacert @@ -26,6 +27,26 @@ }@args: let flutterSetupScript = '' + # Pub needs SSL certificates. Dart normally looks in a hardcoded path. + # https://github.com/dart-lang/sdk/blob/3.1.0/runtime/bin/security_context_linux.cc#L48 + # + # Dart does not respect SSL_CERT_FILE... + # https://github.com/dart-lang/sdk/issues/48506 + # ...and Flutter does not support --root-certs-file, so the path cannot be manually set. + # https://github.com/flutter/flutter/issues/56607 + # https://github.com/flutter/flutter/issues/113594 + # + # libredirect is of no use either, as Flutter does not pass any + # environment variables (including LD_PRELOAD) to the Pub process. + # + # Instead, Flutter is patched to allow the path to the Dart binary used for + # Pub commands to be overriden. + export NIX_FLUTTER_PUB_DART="${runCommand "dart-with-certs" { nativeBuildInputs = [ makeWrapper ]; } '' + mkdir -p "$out/bin" + makeWrapper ${flutter.dart}/bin/dart "$out/bin/dart" \ + --add-flags "--root-certs-file=${cacert}/etc/ssl/certs/ca-bundle.crt" + ''}/bin/dart" + export HOME="$NIX_BUILD_TOP" flutter config --no-analytics &>/dev/null # mute first-run flutter config --enable-linux-desktop >/dev/null |