diff --git a/pkgs/applications/video/kodi/addons/certifi/default.nix b/pkgs/applications/video/kodi/addons/certifi/default.nix index 0e0699752a91..8dd9c5702a2d 100644 --- a/pkgs/applications/video/kodi/addons/certifi/default.nix +++ b/pkgs/applications/video/kodi/addons/certifi/default.nix @@ -1,4 +1,4 @@ -{ lib, buildKodiAddon, fetchzip, addonUpdateScript }: +{ lib, buildKodiAddon, fetchzip, addonUpdateScript, cacert }: buildKodiAddon rec { pname = "certifi"; namespace = "script.module.certifi"; @@ -9,6 +9,21 @@ buildKodiAddon rec { sha256 = "sha256-kIPGEjmnHlgVb11W2RKBlrMy3/+kUOcQZiLCcnHCcno="; }; + patches = [ + # Add support for NIX_SSL_CERT_FILE + ./env.patch + ]; + + postPatch = '' + # Use our system-wide ca-bundle instead of the bundled one + ln -snvf "${cacert}/etc/ssl/certs/ca-bundle.crt" "lib/certifi/cacert.pem" + ''; + + propagatedNativeBuildInputs = [ + # propagate cacerts setup-hook to set up `NIX_SSL_CERT_FILE` + cacert + ]; + passthru = { pythonPath = "lib"; updateScript = addonUpdateScript { diff --git a/pkgs/applications/video/kodi/addons/certifi/env.patch b/pkgs/applications/video/kodi/addons/certifi/env.patch new file mode 100644 index 000000000000..087ab58e4414 --- /dev/null +++ b/pkgs/applications/video/kodi/addons/certifi/env.patch @@ -0,0 +1,86 @@ +diff --git a/lib/certifi/core.py b/lib/certifi/core.py +index de02898..c033d20 100644 +--- a/lib/certifi/core.py ++++ b/lib/certifi/core.py +@@ -4,15 +4,25 @@ certifi.py + + This module returns the installation location of cacert.pem or its contents. + """ ++import os + import sys + + ++def get_cacert_path_from_environ(): ++ path = os.environ.get("NIX_SSL_CERT_FILE", None) ++ ++ if path == "/no-cert-file.crt": ++ return None ++ ++ return path ++ ++ + if sys.version_info >= (3, 11): + + from importlib.resources import as_file, files + + _CACERT_CTX = None +- _CACERT_PATH = None ++ _CACERT_PATH = get_cacert_path_from_environ() + + def where() -> str: + # This is slightly terrible, but we want to delay extracting the file +@@ -39,14 +49,16 @@ if sys.version_info >= (3, 11): + return _CACERT_PATH + + def contents() -> str: +- return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii") ++ if _CACERT_PATH is not None: ++ return open(_CACERT_PATH, encoding="utf-8").read() ++ return files("certifi").joinpath("cacert.pem").read_text(encoding="utf-8") + + elif sys.version_info >= (3, 7): + + from importlib.resources import path as get_path, read_text + + _CACERT_CTX = None +- _CACERT_PATH = None ++ _CACERT_PATH = get_cacert_path_from_environ() + + def where() -> str: + # This is slightly terrible, but we want to delay extracting the +@@ -74,7 +86,9 @@ elif sys.version_info >= (3, 7): + return _CACERT_PATH + + def contents() -> str: +- return read_text("certifi", "cacert.pem", encoding="ascii") ++ if _CACERT_PATH is not None: ++ return open(_CACERT_PATH, encoding="utf-8").read() ++ return read_text("certifi", "cacert.pem", encoding="utf-8") + + else: + import os +@@ -84,6 +98,8 @@ else: + Package = Union[types.ModuleType, str] + Resource = Union[str, "os.PathLike"] + ++ _CACERT_PATH = get_cacert_path_from_environ() ++ + # This fallback will work for Python versions prior to 3.7 that lack the + # importlib.resources module but relies on the existing `where` function + # so won't address issues with environments like PyOxidizer that don't set +@@ -102,7 +118,14 @@ else: + def where() -> str: + f = os.path.dirname(__file__) + ++ if _CACERT_PATH is not None: ++ return _CACERT_PATH ++ + return os.path.join(f, "cacert.pem") + + def contents() -> str: +- return read_text("certifi", "cacert.pem", encoding="ascii") ++ if _CACERT_PATH is not None: ++ with open(_CACERT_PATH, encoding="utf-8") as data: ++ return data.read() ++ ++ return read_text("certifi", "cacert.pem", encoding="utf-8")