commit d8b1778995c661d88aba7e6f1f910e26775aa6b6 · pyrox.dev/nixpkgs

+9 -17
pkgs/data/misc/cacert/default.nix
···

       1
       1
        
       { lib

     

       2
       2
        
       , stdenv

     

       3
       3
        
       , writeText

     

       4
       4
       -
       , fetchurl

     

       4
       4
       +
       , fetchFromGitHub

     

       5
       5
        
       , buildcatrust

     

       6
       6
        
       , blacklist ? []

     

       7
       7
        
       , extraCertificateFiles ? []

     
···

       17
       17
        
       }:

     

       18
       18
        
       

     

       19
       19
        
       let

     

       20
       20
       -
         blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" (blacklist ++ [

     

       21
       21
       -
           # Mozilla does not trust new certificates issued by these CAs after 2022/11/30¹

     

       22
       22
       -
           # in their products, but unfortunately we don't have such a fine-grained

     

       23
       23
       -
           # solution for most system packages², so we decided to eject these.

     

       24
       24
       -
           #

     

       25
       25
       -
           # [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ

     

       26
       26
       -
           # [2] https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem

     

       27
       27
       -
           "TrustCor ECA-1"

     

       28
       28
       -
           "TrustCor RootCert CA-1"

     

       29
       29
       -
           "TrustCor RootCert CA-2"

     

       30
       30
       -
         ]));

     

       20
       20
       +
         blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);

     

       31
       21
        
         extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);

     

       32
       22
        
       

     

       33
       33
       -
         srcVersion = "3.92";

     

       23
       23
       +
         srcVersion = "3.95";

     

       34
       24
        
         version = if nssOverride != null then nssOverride.version else srcVersion;

     

       35
       25
        
         meta = with lib; {

     

       36
       26
        
           homepage = "https://curl.haxx.se/docs/caextract.html";

     
···

       43
       33
        
           pname = "nss-cacert-certdata";

     

       44
       34
        
           inherit version;

     

       45
       35
        
       

     

       46
       46
       -
           src = if nssOverride != null then nssOverride.src else fetchurl {

     

       47
       47
       -
             url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";

     

       48
       48
       -
             hash = "sha256-PbGS1uiCA5rwKufq8yF+0RS7etg0FMZGdyq4Ah4kolQ=";

     

       36
       36
       +
           src = if nssOverride != null then nssOverride.src else fetchFromGitHub {

     

       37
       37
       +
             owner = "nss-dev";

     

       38
       38
       +
             repo = "nss";

     

       39
       39
       +
             rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM";

     

       40
       40
       +
             hash = "sha256-qgSbzlRbU+gElC2ae3FEGRUFSM1JHd/lNGNXC0x4xt4=";

     

       49
       41
        
           };

     

       50
       42
        
       

     

       51
       43
        
           dontBuild = true;

     
···

       54
       46
        
             runHook preInstall

     

       55
       47
        
       

     

       56
       48
        
             mkdir $out

     

       57
       57
       -
             cp nss/lib/ckfw/builtins/certdata.txt $out

     

       49
       49
       +
             cp lib/ckfw/builtins/certdata.txt $out

     

       58
       50
        
       

     

       59
       51
        
             runHook postInstall

     

       60
       52
        
           '';