diff options
author | ajs124 <git@ajs124.de> | 2023-11-21 12:40:33 +0100 |
---|---|---|
committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2023-11-22 12:03:59 +0000 |
commit | abaae41be048c11352953c389ed815cf8d89a7b2 (patch) | |
tree | e8b4e765beaa2031f57dc4ab59c7ade3d454c440 /pkgs/data | |
parent | d756716f7537ae9af67ae7f0a8224cfa4c30c1af (diff) |
cacert: 3.92 -> 3.95
- remove blacklisted certificates, because they aren't part of the bundle anymore - switch to fetching from github, because they forgot/failed to upload a release tarball (again) - https://github.com/nss-dev/nss/blob/NSS_3_95_RTM/doc/rst/releases/nss_3_95.rst (cherry picked from commit ca7e857c133704275bce17780a49218bdeb01ea7)
Diffstat (limited to 'pkgs/data')
-rw-r--r-- | pkgs/data/misc/cacert/default.nix | 26 |
1 files changed, 9 insertions, 17 deletions
diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index d489c23c6b8d0..30f2ee38c72f8 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -1,7 +1,7 @@ { lib , stdenv , writeText -, fetchurl +, fetchFromGitHub , buildcatrust , blacklist ? [] , extraCertificateFiles ? [] @@ -17,20 +17,10 @@ }: let - blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" (blacklist ++ [ - # Mozilla does not trust new certificates issued by these CAs after 2022/11/30¹ - # in their products, but unfortunately we don't have such a fine-grained - # solution for most system packages², so we decided to eject these. - # - # [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ - # [2] https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem - "TrustCor ECA-1" - "TrustCor RootCert CA-1" - "TrustCor RootCert CA-2" - ])); + blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.92"; + srcVersion = "3.95"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -43,9 +33,11 @@ let pname = "nss-cacert-certdata"; inherit version; - src = if nssOverride != null then nssOverride.src else fetchurl { - url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; - hash = "sha256-PbGS1uiCA5rwKufq8yF+0RS7etg0FMZGdyq4Ah4kolQ="; + src = if nssOverride != null then nssOverride.src else fetchFromGitHub { + owner = "nss-dev"; + repo = "nss"; + rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM"; + hash = "sha256-qgSbzlRbU+gElC2ae3FEGRUFSM1JHd/lNGNXC0x4xt4="; }; dontBuild = true; @@ -54,7 +46,7 @@ let runHook preInstall mkdir $out - cp nss/lib/ckfw/builtins/certdata.txt $out + cp lib/ckfw/builtins/certdata.txt $out runHook postInstall ''; |