Unverified Commit db44da13 authored by Philip Taron's avatar Philip Taron Committed by GitHub
Browse files

fetchurl: enable TLS verification when `NIX_SSL_CERT_FILE` is set (#350222)

parents 30ad4bb0 f8292741

pkgs/build-support/fetchurl/builder.sh

+2 −1
Original line number Diff line number Diff line
@@ -19,7 +19,8 @@ curl=( 
    --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"

)



if ! [ -f "$SSL_CERT_FILE" ]; then

# Default fallback value defined in pkgs/build-support/fetchurl/default.nix

if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then

    curl+=(--insecure)

fi

pkgs/build-support/fetchurl/default.nix

+9 −3
Original line number Diff line number Diff line
@@ -220,20 +220,26 @@ stdenvNoCC.mkDerivation ( 
    # New-style output content requirements.

    inherit (hash_) outputHashAlgo outputHash;



    # Disable TLS verification only when we know the hash and no credentials are

    # needed to access the resource

    SSL_CERT_FILE =

      if

      let

        nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";

      in

      if nixSSLCertFile != "" then

        nixSSLCertFile

      else if

        (

          hash_.outputHash == ""

          || hash_.outputHash == lib.fakeSha256

          || hash_.outputHash == lib.fakeSha512

          || hash_.outputHash == lib.fakeHash

          # Make sure we always enforce TLS verification when credentials

          # are needed to access the resource

          || netrcPhase != null

        )

      then

        "${cacert}/etc/ssl/certs/ca-bundle.crt"

      else

        # Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh

        "/no-cert-file.crt";



    outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";