diff options
| author | aszlig <aszlig@nix.build> | 2022-06-21 01:51:31 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2022-06-21 11:54:08 +0200 |
| commit | 9744ff74adb4f6ab864241d9bae4dda2ca5421dc (patch) | |
| tree | 7e051a2cfacefa2a75cad101fb67924fea736abe /pkgs/applications/networking/browsers/firefox/wrapper.nix | |
| parent | e70a58eb4fb2cf8522f107fe8b318a2e0688f383 (diff) | |
| download | nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.gz nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.bz2 nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.lz nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.xz nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.zst nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.zip | |
firefox: Improve detecting signing requirements
Firefox 61 started to enforce signatures for add-ons and since
commit d031843a1eee244172570c64c9e238641563e68e, we get an evaluation
error that recommends the user to switch to Firefox ESR.
This isn't an option for everyone and as I also pointed out in the pull
request[1] introducing the above commit, I've been building Firefox like
this:
let
firefoxNoSigning = firefox-unwrapped.overrideAttrs (lib.const {
MOZ_REQUIRE_SIGNING = false;
});
in wrapFirefox firefoxNoSigning {
nixExtensions = ...;
}
However, this only works after manually modifying nixpkgs (or copy &
paste wrapper.nix elsewhere) every time I want to have a new Firefox
version. Of course, this gets annoying and tedious after a while, so
this motivated me to properly fix this to not only check for an ESR
version but also check the value of MOZ_REQUIRE_SIGNING.
Note that I'm using toString here to check for the value because there
are several ways (false, null, "", ...) to set the environment variable
to an empty string and toString makes sure that it really is the desired
behaviour. I specifically checked the Firefox source and also tested
this with multiple values and only building with MOZ_REQUIRE_SIGNING
set to an empty string seems to work (no "0", "false" or other
variants).
Additionally, there is another method to allow unsigned add-ons, which
is by using the --with-unsigned-addon-scopes configure option[2].
Unfortunately, this does not work with nixExtensions because we don't
have (or want) a central directory where those add-ons reside.
Given that nixExtensions disallows manually installing add-ons, setting
MOZ_REQUIRE_SIGNING to false should be safe in this case.
[1]: https://github.com/NixOS/nixpkgs/pull/133504
[2]: https://bugs.archlinux.org/task/63075
Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'pkgs/applications/networking/browsers/firefox/wrapper.nix')
| -rw-r--r-- | pkgs/applications/networking/browsers/firefox/wrapper.nix | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/pkgs/applications/networking/browsers/firefox/wrapper.nix b/pkgs/applications/networking/browsers/firefox/wrapper.nix index 153bd31a5e7..1b8e3c87967 100644 --- a/pkgs/applications/networking/browsers/firefox/wrapper.nix +++ b/pkgs/applications/networking/browsers/firefox/wrapper.nix @@ -97,12 +97,15 @@ let nameArray = builtins.map(a: a.name) (if usesNixExtensions then nixExtensions else []); + requiresSigning = browser ? MOZ_REQUIRE_SIGNING + -> toString browser.MOZ_REQUIRE_SIGNING != ""; + # Check that every extension has a unqiue .name attribute # and an extid attribute extensions = if nameArray != (lib.unique nameArray) then throw "Firefox addon name needs to be unique" - else if ! (lib.hasSuffix "esr" browser.name) then - throw "Nix addons are only supported in Firefox ESR" + else if requiresSigning && !lib.hasSuffix "esr" browser.name then + throw "Nix addons are only supported without signature enforcement (eg. Firefox ESR)" else builtins.map (a: if ! (builtins.hasAttr "extid" a) then throw "nixExtensions has an invalid entry. Missing extid attribute. Please use fetchfirefoxaddon" |