Merge pull request #326785 from Smaug123/nuget-deterministic

{ linkFarmFromDrvs, fetchurl }:

{ linkFarmFromDrvs, fetchurl, runCommand, zip }:

{ name, nugetDeps ? import sourceFile, sourceFile ? null }:

linkFarmFromDrvs "${name}-nuget-deps" (nugetDeps {

  fetchNuGet = { pname, version, sha256 ? "", hash ? ""

    , url ? "https://www.nuget.org/api/v2/package/${pname}/${version}" }:

    fetchurl {

    let

      src = fetchurl {

        name = "${pname}.${version}.nupkg";

        # There is no need to verify whether both sha256 and hash are

        # valid here, because nuget-to-nix does not generate a deps.nix

        # containing both.

        inherit url sha256 hash;

      };

}) // {

    in

    # NuGet.org edits packages by signing them during upload, which makes

    # those packages nondeterministic depending on which source you

    # get them from. We fix this by stripping out the signature file.

    # Signing logic is https://github.com/NuGet/NuGet.Client/blob/128a5066b1438627ac69a2ffe9de564b2c09ee4d/src/NuGet.Core/NuGet.Packaging/Signing/Archive/SignedPackageArchiveIOUtility.cs#L518

    # Non-NuGet.org sources might not have a signature file; in that case, zip

    # exits with code 12 ("zip has nothing to do", per `man zip`).

    runCommand src.name

      {

        inherit src;

        nativeBuildInputs = [ zip ];

      }

      ''

        zip "$src" --temp-path "$TMPDIR" --output-file "$out" --delete .signature.p7s || {

          (( $? == 12 ))

          install -Dm644 "$src" "$out"

        }

      '';

})

// {

  inherit sourceFile;

}