diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index da781f310f4c..49645ee80083 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -2,12 +2,14 @@ , stdenv , writeText , fetchurl -, nss , buildcatrust , blacklist ? [] , extraCertificateFiles ? [] , extraCertificateStrings ? [] +# Used by update.sh +, nssOverride ? null + # Used for tests only , runCommand , cacert @@ -17,24 +19,49 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); + + srcVersion = "3.71"; + version = if nssOverride != null then nssOverride.version else srcVersion; + meta = with lib; { + homepage = "https://curl.haxx.se/docs/caextract.html"; + description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; + platforms = platforms.all; + maintainers = with maintainers; [ andir fpletz lukegb ]; + license = licenses.mpl20; + }; + certdata = stdenv.mkDerivation { + pname = "nss-cacert-certdata"; + inherit version; + + src = if nssOverride != null then nssOverride.src else fetchurl { + url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; + sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"; + }; + + dontBuild = true; + + installPhase = '' + runHook preInstall + + mkdir $out + cp nss/lib/ckfw/builtins/certdata.txt $out + + runHook postInstall + ''; + + inherit meta; + }; in stdenv.mkDerivation rec { pname = "nss-cacert"; - version = "3.71"; + inherit version; - src = fetchurl { - url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz"; - sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"; - }; + src = certdata; outputs = [ "out" "unbundled" "p11kit" ]; nativeBuildInputs = [ buildcatrust ]; - configurePhase = '' - ln -s nss/lib/ckfw/builtins/certdata.txt - ''; - buildPhase = '' mkdir unbundled buildcatrust \ @@ -176,11 +203,5 @@ stdenv.mkDerivation rec { }; }; - meta = with lib; { - homepage = "https://curl.haxx.se/docs/caextract.html"; - description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; - platforms = platforms.all; - maintainers = with maintainers; [ andir fpletz lukegb ]; - license = licenses.mpl20; - }; + inherit meta; } diff --git a/pkgs/data/misc/cacert/update.sh b/pkgs/data/misc/cacert/update.sh index 1c286dc6206f..72d581b9650f 100755 --- a/pkgs/data/misc/cacert/update.sh +++ b/pkgs/data/misc/cacert/update.sh @@ -28,7 +28,7 @@ BASEDIR="$(dirname "$0")/../../../.." CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) -PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.overrideAttrs (_: { inherit (nss_pkg) src version; })).out") +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out") # Check the hash of the etc subfolder # We can't check the entire output as that contains the nix-support folder @@ -38,5 +38,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .) - update-source-version cacert "$NSS_VERSION" + update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION" fi