Merge pull request #225294 from gador/kodiPackages.certifi_add_cacert_support

kodiPackages.certifi: add support for system-wide cacert

pkgs/applications/video/kodi/addons/certifi/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildKodiAddon, fetchzip, addonUpdateScript }:
+{ lib, buildKodiAddon, fetchzip, addonUpdateScript, cacert }:
 buildKodiAddon rec {
   pname = "certifi";
   namespace = "script.module.certifi";
@@ -9,6 +9,21 @@ buildKodiAddon rec {
     sha256 = "sha256-kIPGEjmnHlgVb11W2RKBlrMy3/+kUOcQZiLCcnHCcno=";
   };
 
+  patches = [
+    # Add support for NIX_SSL_CERT_FILE
+    ./env.patch
+  ];
+
+  postPatch = ''
+    # Use our system-wide ca-bundle instead of the bundled one
+    ln -snvf "${cacert}/etc/ssl/certs/ca-bundle.crt" "lib/certifi/cacert.pem"
+  '';
+
+  propagatedNativeBuildInputs = [
+    # propagate cacerts setup-hook to set up `NIX_SSL_CERT_FILE`
+    cacert
+  ];
+
   passthru = {
     pythonPath = "lib";
     updateScript = addonUpdateScript {

pkgs/applications/video/kodi/addons/certifi/env.patch

@@ -0,0 +1,86 @@
+diff --git a/lib/certifi/core.py b/lib/certifi/core.py
+index de02898..c033d20 100644
+--- a/lib/certifi/core.py
++++ b/lib/certifi/core.py
+@@ -4,15 +4,25 @@ certifi.py
+ 
+ This module returns the installation location of cacert.pem or its contents.
+ """
++import os
+ import sys
+ 
+ 
++def get_cacert_path_from_environ():
++    path = os.environ.get("NIX_SSL_CERT_FILE", None)
++
++    if path == "/no-cert-file.crt":
++        return None
++
++    return path
++
++
+ if sys.version_info >= (3, 11):
+ 
+     from importlib.resources import as_file, files
+ 
+     _CACERT_CTX = None
+-    _CACERT_PATH = None
++    _CACERT_PATH = get_cacert_path_from_environ()
+ 
+     def where() -> str:
+         # This is slightly terrible, but we want to delay extracting the file
+@@ -39,14 +49,16 @@ if sys.version_info >= (3, 11):
+         return _CACERT_PATH
+ 
+     def contents() -> str:
+-        return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii")
++        if _CACERT_PATH is not None:
++            return open(_CACERT_PATH, encoding="utf-8").read()
++        return files("certifi").joinpath("cacert.pem").read_text(encoding="utf-8")
+ 
+ elif sys.version_info >= (3, 7):
+ 
+     from importlib.resources import path as get_path, read_text
+ 
+     _CACERT_CTX = None
+-    _CACERT_PATH = None
++    _CACERT_PATH = get_cacert_path_from_environ()
+ 
+     def where() -> str:
+         # This is slightly terrible, but we want to delay extracting the
+@@ -74,7 +86,9 @@ elif sys.version_info >= (3, 7):
+         return _CACERT_PATH
+ 
+     def contents() -> str:
+-        return read_text("certifi", "cacert.pem", encoding="ascii")
++        if _CACERT_PATH is not None:
++            return open(_CACERT_PATH, encoding="utf-8").read()
++        return read_text("certifi", "cacert.pem", encoding="utf-8")
+ 
+ else:
+     import os
+@@ -84,6 +98,8 @@ else:
+     Package = Union[types.ModuleType, str]
+     Resource = Union[str, "os.PathLike"]
+ 
++    _CACERT_PATH = get_cacert_path_from_environ()
++
+     # This fallback will work for Python versions prior to 3.7 that lack the
+     # importlib.resources module but relies on the existing `where` function
+     # so won't address issues with environments like PyOxidizer that don't set
+@@ -102,7 +118,14 @@ else:
+     def where() -> str:
+         f = os.path.dirname(__file__)
+ 
++        if _CACERT_PATH is not None:
++            return _CACERT_PATH
++
+         return os.path.join(f, "cacert.pem")
+ 
+     def contents() -> str:
+-        return read_text("certifi", "cacert.pem", encoding="ascii")
++        if _CACERT_PATH is not None:
++            with open(_CACERT_PATH, encoding="utf-8") as data:
++                return data.read()
++
++        return read_text("certifi", "cacert.pem", encoding="utf-8")