diff options
author | aszlig <aszlig@nix.build> | 2022-06-21 01:51:31 +0200 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2022-06-21 11:54:08 +0200 |
commit | 9744ff74adb4f6ab864241d9bae4dda2ca5421dc (patch) | |
tree | 7e051a2cfacefa2a75cad101fb67924fea736abe /pkgs/applications/networking/browsers/firefox/wrapper.nix | |
parent | e70a58eb4fb2cf8522f107fe8b318a2e0688f383 (diff) | |
download | nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.gz nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.bz2 nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.lz nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.xz nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.tar.zst nixpkgs-9744ff74adb4f6ab864241d9bae4dda2ca5421dc.zip |
firefox: Improve detecting signing requirements
Firefox 61 started to enforce signatures for add-ons and since commit d031843a1eee244172570c64c9e238641563e68e, we get an evaluation error that recommends the user to switch to Firefox ESR. This isn't an option for everyone and as I also pointed out in the pull request[1] introducing the above commit, I've been building Firefox like this: let firefoxNoSigning = firefox-unwrapped.overrideAttrs (lib.const { MOZ_REQUIRE_SIGNING = false; }); in wrapFirefox firefoxNoSigning { nixExtensions = ...; } However, this only works after manually modifying nixpkgs (or copy & paste wrapper.nix elsewhere) every time I want to have a new Firefox version. Of course, this gets annoying and tedious after a while, so this motivated me to properly fix this to not only check for an ESR version but also check the value of MOZ_REQUIRE_SIGNING. Note that I'm using toString here to check for the value because there are several ways (false, null, "", ...) to set the environment variable to an empty string and toString makes sure that it really is the desired behaviour. I specifically checked the Firefox source and also tested this with multiple values and only building with MOZ_REQUIRE_SIGNING set to an empty string seems to work (no "0", "false" or other variants). Additionally, there is another method to allow unsigned add-ons, which is by using the --with-unsigned-addon-scopes configure option[2]. Unfortunately, this does not work with nixExtensions because we don't have (or want) a central directory where those add-ons reside. Given that nixExtensions disallows manually installing add-ons, setting MOZ_REQUIRE_SIGNING to false should be safe in this case. [1]: https://github.com/NixOS/nixpkgs/pull/133504 [2]: https://bugs.archlinux.org/task/63075 Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'pkgs/applications/networking/browsers/firefox/wrapper.nix')
-rw-r--r-- | pkgs/applications/networking/browsers/firefox/wrapper.nix | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/pkgs/applications/networking/browsers/firefox/wrapper.nix b/pkgs/applications/networking/browsers/firefox/wrapper.nix index 153bd31a5e7..1b8e3c87967 100644 --- a/pkgs/applications/networking/browsers/firefox/wrapper.nix +++ b/pkgs/applications/networking/browsers/firefox/wrapper.nix @@ -97,12 +97,15 @@ let nameArray = builtins.map(a: a.name) (if usesNixExtensions then nixExtensions else []); + requiresSigning = browser ? MOZ_REQUIRE_SIGNING + -> toString browser.MOZ_REQUIRE_SIGNING != ""; + # Check that every extension has a unqiue .name attribute # and an extid attribute extensions = if nameArray != (lib.unique nameArray) then throw "Firefox addon name needs to be unique" - else if ! (lib.hasSuffix "esr" browser.name) then - throw "Nix addons are only supported in Firefox ESR" + else if requiresSigning && !lib.hasSuffix "esr" browser.name then + throw "Nix addons are only supported without signature enforcement (eg. Firefox ESR)" else builtins.map (a: if ! (builtins.hasAttr "extid" a) then throw "nixExtensions has an invalid entry. Missing extid attribute. Please use fetchfirefoxaddon" |