Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-03-05 06:44:40 +00:00
Matthew Bauer 0046802ab6 fetchurl: only allow empty hash when cacert is available
We can use cacert to validate that the data passes SSL certificates.
Normally, this doesn’t happen because we already have the hash, but in
the hash = "" case we don’t.
2020-06-09 12:56:27 -05:00

162 lines
4.8 KiB

{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC
, curl # Note that `curl' may be `null', in case of the native stdenvNoCC.
, cacert ? null }:
mirrors = import ./mirrors.nix;
# Write the list of mirrors to a file that we can reuse between
# fetchurl instantiations, instead of passing the mirrors to
# fetchurl instantiations via environment variables. This makes the
# resulting store derivations (.drv files) much smaller, which in
# turn makes nix-env/nix-instantiate faster.
mirrorsFile =
buildPackages.stdenvNoCC.mkDerivation ({
name = "mirrors-list";
builder = ./write-mirror-list.sh;
preferLocalBuild = true;
} // mirrors);
# Names of the master sites that are mirrored (i.e., "sourceforge",
# "gnu", etc.).
sites = builtins.attrNames mirrors;
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [
# This variable allows the user to pass additional options to curl
# This variable allows the user to override hashedMirrors from the
# command-line.
# This variable allows overriding the timeout for connecting to
# the hashed mirrors.
] ++ (map (site: "NIX_MIRRORS_${site}") sites);
{ # URL to fetch.
url ? ""
, # Alternatively, a list of URLs specifying alternative download
# locations. They are tried in order.
urls ? []
, # Additional curl options needed for the download to succeed.
curlOpts ? ""
, # Name of the file. If empty, use the basename of `url' (or of the
# first element of `urls').
name ? ""
, # SRI hash.
hash ? ""
, # Legacy ways of specifying the hash.
outputHash ? ""
, outputHashAlgo ? ""
, md5 ? ""
, sha1 ? ""
, sha256 ? ""
, sha512 ? ""
, recursiveHash ? false
, # Shell code to build a netrc file for BASIC auth
netrcPhase ? null
, # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes)
# needed for netrcPhase
netrcImpureEnvVars ? []
, # Shell code executed after the file has been fetched
# successfully. This can do things like check or transform the file.
postFetch ? ""
, # Whether to download to a temporary path rather than $out. Useful
# in conjunction with postFetch. The location of the temporary file
# is communicated to postFetch via $downloadedFile.
downloadToTemp ? false
, # If true, set executable bit on downloaded file
executable ? false
, # If set, don't download the file, but write a list of all possible
# URLs (resulting from resolving mirror:// URLs) to $out.
showURLs ? false
, # Meta information, if any.
meta ? {}
# Passthru information, if any.
, passthru ? {}
# Doing the download on a remote machine just duplicates network
# traffic, so don't do that by default
, preferLocalBuild ? true
assert sha512 != "" -> builtins.compareVersions "1.11" builtins.nixVersion <= 0;
urls_ =
if urls != [] && url == "" then
(if lib.isList urls then urls
else throw "`urls` is not a list")
else if urls == [] && url != "" then [url]
else throw "fetchurl requires either `url` or `urls` to be set";
hash_ =
if hash != "" then { outputHashAlgo = null; outputHash = hash; }
else if md5 != "" then throw "fetchurl does not support md5 anymore, please use sha256 or sha512"
else if (outputHash != "" && outputHashAlgo != "") then { inherit outputHashAlgo outputHash; }
else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; }
else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
else if sha1 != "" then { outputHashAlgo = "sha1"; outputHash = sha1; }
else if cacert != null then { outputHashAlgo = "sha256"; outputHash = ""; }
else throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}";
stdenvNoCC.mkDerivation {
name =
if showURLs then "urls"
else if name != "" then name
else baseNameOf (toString (builtins.head urls_));
builder = ./builder.sh;
nativeBuildInputs = [ curl ];
urls = urls_;
# If set, prefer the content-addressable mirrors
# (http://tarballs.nixos.org) over the original URLs.
preferHashedMirrors = true;
# New-style output content requirements.
inherit (hash_) outputHashAlgo outputHash;
SSL_CERT_FILE = if hash_.outputHash == ""
then "${cacert}/etc/ssl/certs/ca-bundle.crt"
else "/no-cert-file.crt";
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable;
impureEnvVars = impureEnvVars ++ netrcImpureEnvVars;
nixpkgsVersion = lib.trivial.release;
inherit preferLocalBuild;
postHook = if netrcPhase == null then null else ''
curlOpts="$curlOpts --netrc-file $PWD/netrc"
inherit meta;
inherit passthru;