diff options
| author | Matthew Bauer <mjbauer95@gmail.com> | 2020-06-09 12:56:27 -0500 |
|---|---|---|
| committer | Matthew Bauer <mjbauer95@gmail.com> | 2020-06-09 12:56:27 -0500 |
| commit | 0046802ab6d3389b45f3e9fce6f5e2746e2e7f80 (patch) | |
| tree | 295fb1fd17b6bff72568f0047621fdc9d4d1f2d3 /pkgs/build-support/fetchurl | |
| parent | a528cc1bcacf7bae3042e64711df3a9f0094d9c3 (diff) | |
| download | nixpkgs-0046802ab6d3389b45f3e9fce6f5e2746e2e7f80.tar nixpkgs-0046802ab6d3389b45f3e9fce6f5e2746e2e7f80.tar.gz nixpkgs-0046802ab6d3389b45f3e9fce6f5e2746e2e7f80.tar.bz2 nixpkgs-0046802ab6d3389b45f3e9fce6f5e2746e2e7f80.tar.lz nixpkgs-0046802ab6d3389b45f3e9fce6f5e2746e2e7f80.tar.xz nixpkgs-0046802ab6d3389b45f3e9fce6f5e2746e2e7f80.tar.zst nixpkgs-0046802ab6d3389b45f3e9fce6f5e2746e2e7f80.zip | |
fetchurl: only allow empty hash when cacert is available
We can use cacert to validate that the data passes SSL certificates. Normally, this doesn’t happen because we already have the hash, but in the hash = "" case we don’t.
Diffstat (limited to 'pkgs/build-support/fetchurl')
| -rw-r--r-- | pkgs/build-support/fetchurl/builder.sh | 8 | ||||
| -rw-r--r-- | pkgs/build-support/fetchurl/default.nix | 11 |
2 files changed, 16 insertions, 3 deletions
diff --git a/pkgs/build-support/fetchurl/builder.sh b/pkgs/build-support/fetchurl/builder.sh index e93c98419a6..5b04a702aff 100644 --- a/pkgs/build-support/fetchurl/builder.sh +++ b/pkgs/build-support/fetchurl/builder.sh @@ -15,8 +15,14 @@ curl=( --retry 3 --disable-epsv --cookie-jar cookies - --insecure --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion" +) + +if ! [ -f "$SSL_CERT_FILE" ]; then + curl+=(--insecure) +fi + +curl+=( $curlOpts $NIX_CURL_FLAGS ) diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index 39ec5bf5f2c..c65738aef41 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -1,4 +1,6 @@ -{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC, curl }: # Note that `curl' may be `null', in case of the native stdenvNoCC. +{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC +, curl # Note that `curl' may be `null', in case of the native stdenvNoCC. +, cacert ? null }: let @@ -112,7 +114,8 @@ let else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; } else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; } else if sha1 != "" then { outputHashAlgo = "sha1"; outputHash = sha1; } - else { outputHashAlgo = "sha256"; outputHash = ""; }; + else if cacert != null then { outputHashAlgo = "sha256"; outputHash = ""; } + else throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}"; in stdenvNoCC.mkDerivation { @@ -134,6 +137,10 @@ stdenvNoCC.mkDerivation { # New-style output content requirements. inherit (hash_) outputHashAlgo outputHash; + SSL_CERT_FILE = if hash_.outputHash == "" + then "${cacert}/etc/ssl/certs/ca-bundle.crt" + else "/no-cert-file.crt"; + outputHashMode = if (recursiveHash || executable) then "recursive" else "flat"; inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable; |