flutter: Supply CA bundle in sandbox

3 files changed, 62 insertions, 1 deletions

diff --git a/pkgs/build-support/dart/fetch-dart-deps/default.nix b/pkgs/build-support/dart/fetch-dart-deps/default.nix
index e523b60797e..d6920a35e20 100644
--- a/pkgs/build-support/dart/fetch-dart-deps/default.nix
+++ b/pkgs/build-support/dart/fetch-dart-deps/default.nix
@@ -79,7 +79,13 @@ let
 
       installPhase = ''
         _pub_get() {
-          ${pubGetScript}
+          (
+            # Dart does not respect SSL_CERT_FILE.
+            # https://github.com/dart-lang/sdk/issues/48506
+            export DART_VM_OPTIONS="--root-certs-file=$SSL_CERT_FILE"
+
+            ${pubGetScript}
+          )
         }
 
         # so we can use lock, diff yaml
diff --git a/pkgs/build-support/flutter/default.nix b/pkgs/build-support/flutter/default.nix
index 8d31482900a..06f6e2770be 100644
--- a/pkgs/build-support/flutter/default.nix
+++ b/pkgs/build-support/flutter/default.nix
@@ -1,6 +1,7 @@
 { lib
 , callPackage
 , stdenvNoCC
+, runCommand
 , makeWrapper
 , llvmPackages_13
 , cacert
@@ -26,6 +27,26 @@
 }@args:
 let
   flutterSetupScript = ''
+    # Pub needs SSL certificates. Dart normally looks in a hardcoded path.
+    # https://github.com/dart-lang/sdk/blob/3.1.0/runtime/bin/security_context_linux.cc#L48
+    #
+    # Dart does not respect SSL_CERT_FILE...
+    # https://github.com/dart-lang/sdk/issues/48506
+    # ...and Flutter does not support --root-certs-file, so the path cannot be manually set.
+    # https://github.com/flutter/flutter/issues/56607
+    # https://github.com/flutter/flutter/issues/113594
+    #
+    # libredirect is of no use either, as Flutter does not pass any
+    # environment variables (including LD_PRELOAD) to the Pub process.
+    #
+    # Instead, Flutter is patched to allow the path to the Dart binary used for
+    # Pub commands to be overriden.
+    export NIX_FLUTTER_PUB_DART="${runCommand "dart-with-certs" { nativeBuildInputs = [ makeWrapper ]; } ''
+      mkdir -p "$out/bin"
+      makeWrapper ${flutter.dart}/bin/dart "$out/bin/dart" \
+        --add-flags "--root-certs-file=${cacert}/etc/ssl/certs/ca-bundle.crt"
+    ''}/bin/dart"
+
     export HOME="$NIX_BUILD_TOP"
     flutter config --no-analytics &>/dev/null # mute first-run
     flutter config --enable-linux-desktop >/dev/null
diff --git a/pkgs/development/compilers/flutter/patches/flutter3/flutter-pub-dart-override.patch b/pkgs/development/compilers/flutter/patches/flutter3/flutter-pub-dart-override.patch
new file mode 100644
index 00000000000..9d1de65c320
--- /dev/null
+++ b/pkgs/development/compilers/flutter/patches/flutter3/flutter-pub-dart-override.patch
@@ -0,0 +1,34 @@
+From ddb81649092776ecac635af7040685588798b5a5 Mon Sep 17 00:00:00 2001
+From: hacker1024 <hacker1024@users.sourceforge.net>
+Date: Sun, 27 Aug 2023 22:47:24 +1000
+Subject: [PATCH] Allow replacing the Dart binary used for Pub commands with
+ NIX_FLUTTER_PUB_DART
+
+---
+ packages/flutter_tools/lib/src/dart/pub.dart | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/packages/flutter_tools/lib/src/dart/pub.dart b/packages/flutter_tools/lib/src/dart/pub.dart
+index 40e60f9005..22fd3cebc7 100644
+--- a/packages/flutter_tools/lib/src/dart/pub.dart
++++ b/packages/flutter_tools/lib/src/dart/pub.dart
+@@ -3,6 +3,7 @@
+ // found in the LICENSE file.
+ 
+ import 'dart:async';
++import 'dart:io' as io;
+ 
+ import 'package:meta/meta.dart';
+ import 'package:package_config/package_config.dart';
+@@ -544,7 +545,7 @@ class _DefaultPub implements Pub {
+ 
+   List<String> _computePubCommand() {
+     // TODO(zanderso): refactor to use artifacts.
+-    final String sdkPath = _fileSystem.path.joinAll(<String>[
++    final String sdkPath = io.Platform.environment['NIX_FLUTTER_PUB_DART'] ?? _fileSystem.path.joinAll(<String>[
+       Cache.flutterRoot!,
+       'bin',
+       'cache',
+-- 
+2.41.0
+