diff options
author | Luke Granger-Brown <git@lukegb.com> | 2021-10-08 01:20:51 +0000 |
---|---|---|
committer | Luke Granger-Brown <git@lukegb.com> | 2021-10-08 01:21:57 +0000 |
commit | 91e495708137fd2b9e4f66d01285b53b1569a26a (patch) | |
tree | 3f50ab1ecfd74c84bb107445c98265acca36e50d /pkgs/data/misc | |
parent | 906f44cef305d59b743758bfb30678433130a5de (diff) |
cacert: extract certdata.txt from main package
This allows users to specify custom CAs without needing to download the entirety of the NSS source code - just certdata.txt, which should end up in cache.nixos.org.
Diffstat (limited to 'pkgs/data/misc')
-rw-r--r-- | pkgs/data/misc/cacert/default.nix | 55 | ||||
-rwxr-xr-x | pkgs/data/misc/cacert/update.sh | 4 |
2 files changed, 40 insertions, 19 deletions
diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index da781f310f4c1..49645ee800838 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -2,12 +2,14 @@ , stdenv , writeText , fetchurl -, nss , buildcatrust , blacklist ? [] , extraCertificateFiles ? [] , extraCertificateStrings ? [] +# Used by update.sh +, nssOverride ? null + # Used for tests only , runCommand , cacert @@ -17,24 +19,49 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); + + srcVersion = "3.71"; + version = if nssOverride != null then nssOverride.version else srcVersion; + meta = with lib; { + homepage = "https://curl.haxx.se/docs/caextract.html"; + description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; + platforms = platforms.all; + maintainers = with maintainers; [ andir fpletz lukegb ]; + license = licenses.mpl20; + }; + certdata = stdenv.mkDerivation { + pname = "nss-cacert-certdata"; + inherit version; + + src = if nssOverride != null then nssOverride.src else fetchurl { + url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; + sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"; + }; + + dontBuild = true; + + installPhase = '' + runHook preInstall + + mkdir $out + cp nss/lib/ckfw/builtins/certdata.txt $out + + runHook postInstall + ''; + + inherit meta; + }; in stdenv.mkDerivation rec { pname = "nss-cacert"; - version = "3.71"; + inherit version; - src = fetchurl { - url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; - sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"; - }; + src = certdata; outputs = [ "out" "unbundled" "p11kit" ]; nativeBuildInputs = [ buildcatrust ]; - configurePhase = '' - ln -s nss/lib/ckfw/builtins/certdata.txt - ''; - buildPhase = '' mkdir unbundled buildcatrust \ @@ -176,11 +203,5 @@ stdenv.mkDerivation rec { }; }; - meta = with lib; { - homepage = "https://curl.haxx.se/docs/caextract.html"; - description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; - platforms = platforms.all; - maintainers = with maintainers; [ andir fpletz lukegb ]; - license = licenses.mpl20; - }; + inherit meta; } diff --git a/pkgs/data/misc/cacert/update.sh b/pkgs/data/misc/cacert/update.sh index 1c286dc6206f7..72d581b9650fa 100755 --- a/pkgs/data/misc/cacert/update.sh +++ b/pkgs/data/misc/cacert/update.sh @@ -28,7 +28,7 @@ BASEDIR="$(dirname "$0")/../../../.." CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) -PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.overrideAttrs (_: { inherit (nss_pkg) src version; })).out") +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out") # Check the hash of the etc subfolder # We can't check the entire output as that contains the nix-support folder @@ -38,5 +38,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .) - update-source-version cacert "$NSS_VERSION" + update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION" fi |