diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-08-25 16:53:05 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-08-25 16:53:05 +0000 |
commit | b0849305d63df6cc0acfe199cec3a997ad3c5a75 (patch) | |
tree | 6ff64291dec94a85c6e523a3f78da127a7daa1dd /pkgs/development/compilers/go | |
parent | c901f337b8fed63ba0bb53674950ce4c7bf94dcd (diff) | |
parent | 7e07d142e78656c5f16b18d81ee4eb9444c9b93d (diff) | |
download | nixpkgs-b0849305d63df6cc0acfe199cec3a997ad3c5a75.tar nixpkgs-b0849305d63df6cc0acfe199cec3a997ad3c5a75.tar.gz nixpkgs-b0849305d63df6cc0acfe199cec3a997ad3c5a75.tar.bz2 nixpkgs-b0849305d63df6cc0acfe199cec3a997ad3c5a75.tar.lz nixpkgs-b0849305d63df6cc0acfe199cec3a997ad3c5a75.tar.xz nixpkgs-b0849305d63df6cc0acfe199cec3a997ad3c5a75.tar.zst nixpkgs-b0849305d63df6cc0acfe199cec3a997ad3c5a75.zip |
Merge remote-tracking branch 'nixpkgs/master' into master
Diffstat (limited to 'pkgs/development/compilers/go')
-rw-r--r-- | pkgs/development/compilers/go/1.14.nix | 18 | ||||
-rw-r--r-- | pkgs/development/compilers/go/1.15.nix | 255 | ||||
-rw-r--r-- | pkgs/development/compilers/go/1.4.nix | 2 | ||||
-rw-r--r-- | pkgs/development/compilers/go/remove-test-pie-1.15.patch (renamed from pkgs/development/compilers/go/remove-test-pie-1.13.patch) | 8 | ||||
-rw-r--r-- | pkgs/development/compilers/go/setup-hook.sh | 5 | ||||
-rw-r--r-- | pkgs/development/compilers/go/skip-cgo-tests-1.15.patch | 13 | ||||
-rw-r--r-- | pkgs/development/compilers/go/skip-external-network-tests-1.15.patch | 13 | ||||
-rw-r--r-- | pkgs/development/compilers/go/skip-test-extra-files-on-386.patch | 15 | ||||
-rw-r--r-- | pkgs/development/compilers/go/skip-test-extra-files-on-aarch32.patch | 15 | ||||
-rw-r--r-- | pkgs/development/compilers/go/ssl-cert-file-1.15.patch | 76 |
10 files changed, 374 insertions, 46 deletions
diff --git a/pkgs/development/compilers/go/1.14.nix b/pkgs/development/compilers/go/1.14.nix index 9ee5b6fa624..0bf972ff80f 100644 --- a/pkgs/development/compilers/go/1.14.nix +++ b/pkgs/development/compilers/go/1.14.nix @@ -2,6 +2,7 @@ , perl, which, pkgconfig, patch, procps, pcre, cacert, Security, Foundation , mailcap, runtimeShell , buildPackages, pkgsTargetTarget +, fetchpatch }: let @@ -30,11 +31,11 @@ in stdenv.mkDerivation rec { pname = "go"; - version = "1.14.2"; + version = "1.14.7"; src = fetchurl { url = "https://dl.google.com/go/go${version}.src.tar.gz"; - sha256 = "0z3zxsnhmsxplnwfw1l9gr6jgglwp50sr3p5njknv9i6jzk89plq"; + sha256 = "1qrhdjdzi1knchk1wmlaqgkqhxkq2niw14b931rhqrk36m1r4hq6"; }; # perl is used for testing go vet @@ -137,6 +138,12 @@ stdenv.mkDerivation rec { ./go-1.9-skip-flaky-20072.patch ./skip-external-network-tests.patch ./skip-nohup-tests.patch + + # fix rare TestDontCacheBrokenHTTP2Conn failure + (fetchpatch { + url = "https://github.com/golang/go/commit/ea1437a8cdf6bb3c2d2447833a5d06dbd75f7ae4.patch"; + sha256 = "1lyzy4nf8c34a966vw45j3j7hzpvncq2gqspfxffzkyh17xd8sgy"; + }) ] ++ [ # breaks under load: https://github.com/golang/go/issues/25628 (if stdenv.isAarch32 @@ -186,8 +193,11 @@ stdenv.mkDerivation rec { export PATH=$(pwd)/bin:$PATH + ${optionalString (stdenv.buildPlatform != stdenv.targetPlatform) '' # Independent from host/target, CC should produce code for the building system. + # We only set it when cross-compiling. export CC=${buildPackages.stdenv.cc}/bin/cc + ''} ulimit -a ''; @@ -229,8 +239,6 @@ stdenv.mkDerivation rec { runHook postInstall ''; - setupHook = ./setup-hook.sh; - disallowedReferences = [ goBootstrap ]; meta = with stdenv.lib; { @@ -238,7 +246,7 @@ stdenv.mkDerivation rec { homepage = "http://golang.org/"; description = "The Go Programming language"; license = licenses.bsd3; - maintainers = with maintainers; [ cstrahan orivej mic92 rvolosatovs kalbasit Frostman ]; + maintainers = teams.golang.members; platforms = platforms.linux ++ platforms.darwin; }; } diff --git a/pkgs/development/compilers/go/1.15.nix b/pkgs/development/compilers/go/1.15.nix new file mode 100644 index 00000000000..b3851741c69 --- /dev/null +++ b/pkgs/development/compilers/go/1.15.nix @@ -0,0 +1,255 @@ +{ stdenv, fetchurl, tzdata, iana-etc, runCommand +, perl, which, pkgconfig, patch, procps, pcre, cacert, Security, Foundation +, mailcap, runtimeShell +, buildPackages, pkgsTargetTarget +, fetchpatch +}: + +let + + inherit (stdenv.lib) optionals optionalString; + + goBootstrap = runCommand "go-bootstrap" {} '' + mkdir $out + cp -rf ${buildPackages.go_bootstrap}/* $out/ + chmod -R u+w $out + find $out -name "*.c" -delete + cp -rf $out/bin/* $out/share/go/bin/ + ''; + + goarch = platform: { + "i686" = "386"; + "x86_64" = "amd64"; + "aarch64" = "arm64"; + "arm" = "arm"; + "armv5tel" = "arm"; + "armv6l" = "arm"; + "armv7l" = "arm"; + }.${platform.parsed.cpu.name} or (throw "Unsupported system"); + +in + +stdenv.mkDerivation rec { + pname = "go"; + version = "1.15"; + + src = fetchurl { + url = "https://dl.google.com/go/go${version}.src.tar.gz"; + sha256 = "0fmc53pamxxbvmp5bcvh1fhffirpv3gz6y7qz97iacpmsiz8yhv9"; + }; + + # perl is used for testing go vet + nativeBuildInputs = [ perl which pkgconfig patch procps ]; + buildInputs = [ cacert pcre ] + ++ optionals stdenv.isLinux [ stdenv.cc.libc.out ] + ++ optionals (stdenv.hostPlatform.libc == "glibc") [ stdenv.cc.libc.static ]; + + depsTargetTargetPropagated = optionals stdenv.isDarwin [ Security Foundation ]; + + hardeningDisable = [ "all" ]; + + prePatch = '' + patchShebangs ./ # replace /bin/bash + + # This source produces shell script at run time, + # and thus it is not corrected by patchShebangs. + substituteInPlace misc/cgo/testcarchive/carchive_test.go \ + --replace '#!/usr/bin/env bash' '#!${runtimeShell}' + + # Patch the mimetype database location which is missing on NixOS. + # but also allow static binaries built with NixOS to run outside nix + sed -i 's,\"/etc/mime.types,"${mailcap}/etc/mime.types\"\,\n\t&,' src/mime/type_unix.go + + # Disabling the 'os/http/net' tests (they want files not available in + # chroot builds) + rm src/net/{listen,parse}_test.go + rm src/syscall/exec_linux_test.go + + # !!! substituteInPlace does not seems to be effective. + # The os test wants to read files in an existing path. Just don't let it be /usr/bin. + sed -i 's,/usr/bin,'"`pwd`", src/os/os_test.go + sed -i 's,/bin/pwd,'"`type -P pwd`", src/os/os_test.go + # Fails on aarch64 + sed -i '/TestFallocate/aif true \{ return\; \}' src/cmd/link/internal/ld/fallocate_test.go + # Skip this test since ssl patches mess it up. + sed -i '/TestLoadSystemCertsLoadColonSeparatedDirs/aif true \{ return\; \}' src/crypto/x509/root_unix_test.go + # Disable another PIE test which breaks. + sed -i '/TestTrivialPIE/aif true \{ return\; \}' misc/cgo/testshared/shared_test.go + # Disable the BuildModePie test + sed -i '/TestBuildmodePIE/aif true \{ return\; \}' src/cmd/go/go_test.go + # Disable the unix socket test + sed -i '/TestShutdownUnix/aif true \{ return\; \}' src/net/net_test.go + # Disable the hostname test + sed -i '/TestHostname/aif true \{ return\; \}' src/os/os_test.go + # ParseInLocation fails the test + sed -i '/TestParseInSydney/aif true \{ return\; \}' src/time/format_test.go + # Remove the api check as it never worked + sed -i '/src\/cmd\/api\/run.go/ireturn nil' src/cmd/dist/test.go + # Remove the coverage test as we have removed this utility + sed -i '/TestCoverageWithCgo/aif true \{ return\; \}' src/cmd/go/go_test.go + # Remove the timezone naming test + sed -i '/TestLoadFixed/aif true \{ return\; \}' src/time/time_test.go + # Remove disable setgid test + sed -i '/TestRespectSetgidDir/aif true \{ return\; \}' src/cmd/go/internal/work/build_test.go + # Remove cert tests that conflict with NixOS's cert resolution + sed -i '/TestEnvVars/aif true \{ return\; \}' src/crypto/x509/root_unix_test.go + # TestWritevError hangs sometimes + sed -i '/TestWritevError/aif true \{ return\; \}' src/net/writev_test.go + # TestVariousDeadlines fails sometimes + sed -i '/TestVariousDeadlines/aif true \{ return\; \}' src/net/timeout_test.go + + sed -i 's,/etc/protocols,${iana-etc}/etc/protocols,' src/net/lookup_unix.go + sed -i 's,/etc/services,${iana-etc}/etc/services,' src/net/port_unix.go + + # Disable cgo lookup tests not works, they depend on resolver + rm src/net/cgo_unix_test.go + + '' + optionalString stdenv.isLinux '' + # prepend the nix path to the zoneinfo files but also leave the original value for static binaries + # that run outside a nix server + sed -i 's,\"/usr/share/zoneinfo/,"${tzdata}/share/zoneinfo/\"\,\n\t&,' src/time/zoneinfo_unix.go + + '' + optionalString stdenv.isAarch32 '' + echo '#!${runtimeShell}' > misc/cgo/testplugin/test.bash + '' + optionalString stdenv.isDarwin '' + substituteInPlace src/race.bash --replace \ + "sysctl machdep.cpu.extfeatures | grep -qv EM64T" true + sed -i 's,strings.Contains(.*sysctl.*,true {,' src/cmd/dist/util.go + sed -i 's,"/etc","'"$TMPDIR"'",' src/os/os_test.go + sed -i 's,/_go_os_test,'"$TMPDIR"'/_go_os_test,' src/os/path_test.go + + sed -i '/TestChdirAndGetwd/aif true \{ return\; \}' src/os/os_test.go + sed -i '/TestCredentialNoSetGroups/aif true \{ return\; \}' src/os/exec/exec_posix_test.go + sed -i '/TestRead0/aif true \{ return\; \}' src/os/os_test.go + sed -i '/TestSystemRoots/aif true \{ return\; \}' src/crypto/x509/root_darwin_test.go + + sed -i '/TestGoInstallRebuildsStalePackagesInOtherGOPATH/aif true \{ return\; \}' src/cmd/go/go_test.go + sed -i '/TestBuildDashIInstallsDependencies/aif true \{ return\; \}' src/cmd/go/go_test.go + + sed -i '/TestDisasmExtld/aif true \{ return\; \}' src/cmd/objdump/objdump_test.go + + sed -i 's/unrecognized/unknown/' src/cmd/link/internal/ld/lib.go + + # TestCurrent fails because Current is not implemented on Darwin + sed -i 's/TestCurrent/testCurrent/g' src/os/user/user_test.go + sed -i 's/TestLookup/testLookup/g' src/os/user/user_test.go + + touch $TMPDIR/group $TMPDIR/hosts $TMPDIR/passwd + ''; + + patches = [ + ./remove-tools-1.11.patch + ./ssl-cert-file-1.15.patch + ./remove-test-pie-1.15.patch + ./creds-test.patch + ./go-1.9-skip-flaky-19608.patch + ./go-1.9-skip-flaky-20072.patch + ./skip-external-network-tests-1.15.patch + ./skip-nohup-tests.patch + ./skip-cgo-tests-1.15.patch + ] ++ [ + # breaks under load: https://github.com/golang/go/issues/25628 + (if stdenv.isAarch32 + then ./skip-test-extra-files-on-aarch32-1.14.patch + else ./skip-test-extra-files-on-386-1.14.patch) + ]; + + postPatch = '' + find . -name '*.orig' -exec rm {} ';' + ''; + + GOOS = stdenv.targetPlatform.parsed.kernel.name; + GOARCH = goarch stdenv.targetPlatform; + # GOHOSTOS/GOHOSTARCH must match the building system, not the host system. + # Go will nevertheless build a for host system that we will copy over in + # the install phase. + GOHOSTOS = stdenv.buildPlatform.parsed.kernel.name; + GOHOSTARCH = goarch stdenv.buildPlatform; + + # {CC,CXX}_FOR_TARGET must be only set for cross compilation case as go expect those + # to be different from CC/CXX + CC_FOR_TARGET = if (stdenv.buildPlatform != stdenv.targetPlatform) then + "${pkgsTargetTarget.stdenv.cc}/bin/${pkgsTargetTarget.stdenv.cc.targetPrefix}cc" + else + null; + CXX_FOR_TARGET = if (stdenv.buildPlatform != stdenv.targetPlatform) then + "${pkgsTargetTarget.stdenv.cc}/bin/${pkgsTargetTarget.stdenv.cc.targetPrefix}c++" + else + null; + + GOARM = toString (stdenv.lib.intersectLists [(stdenv.hostPlatform.parsed.cpu.version or "")] ["5" "6" "7"]); + GO386 = 387; # from Arch: don't assume sse2 on i686 + CGO_ENABLED = 1; + # Hopefully avoids test timeouts on Hydra + GO_TEST_TIMEOUT_SCALE = 3; + + # Indicate that we are running on build infrastructure + # Some tests assume things like home directories and users exists + GO_BUILDER_NAME = "nix"; + + GOROOT_BOOTSTRAP="${goBootstrap}/share/go"; + + postConfigure = '' + export GOCACHE=$TMPDIR/go-cache + # this is compiled into the binary + export GOROOT_FINAL=$out/share/go + + export PATH=$(pwd)/bin:$PATH + + ${optionalString (stdenv.buildPlatform != stdenv.targetPlatform) '' + # Independent from host/target, CC should produce code for the building system. + # We only set it when cross-compiling. + export CC=${buildPackages.stdenv.cc}/bin/cc + ''} + ulimit -a + ''; + + postBuild = '' + (cd src && ./make.bash) + ''; + + doCheck = stdenv.hostPlatform == stdenv.targetPlatform && !stdenv.isDarwin; + + checkPhase = '' + runHook preCheck + (cd src && HOME=$TMPDIR GOCACHE=$TMPDIR/go-cache ./run.bash --no-rebuild) + runHook postCheck + ''; + + preInstall = '' + rm -r pkg/obj + # Contains the wrong perl shebang when cross compiling, + # since it is not used for anything we can deleted as well. + rm src/regexp/syntax/make_perl_groups.pl + '' + (if (stdenv.buildPlatform != stdenv.hostPlatform) then '' + mv bin/*_*/* bin + rmdir bin/*_* + ${optionalString (!(GOHOSTARCH == GOARCH && GOOS == GOHOSTOS)) '' + rm -rf pkg/${GOHOSTOS}_${GOHOSTARCH} pkg/tool/${GOHOSTOS}_${GOHOSTARCH} + ''} + '' else if (stdenv.hostPlatform != stdenv.targetPlatform) then '' + rm -rf bin/*_* + ${optionalString (!(GOHOSTARCH == GOARCH && GOOS == GOHOSTOS)) '' + rm -rf pkg/${GOOS}_${GOARCH} pkg/tool/${GOOS}_${GOARCH} + ''} + '' else ""); + + installPhase = '' + runHook preInstall + mkdir -p $GOROOT_FINAL + cp -a bin pkg src lib misc api doc $GOROOT_FINAL + ln -s $GOROOT_FINAL/bin $out/bin + runHook postInstall + ''; + + disallowedReferences = [ goBootstrap ]; + + meta = with stdenv.lib; { + branch = "1.15"; + homepage = "http://golang.org/"; + description = "The Go Programming language"; + license = licenses.bsd3; + maintainers = teams.golang.members; + platforms = platforms.linux ++ platforms.darwin; + }; +} diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index fc3fb0ad0e5..af125d60ed0 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -151,8 +151,6 @@ stdenv.mkDerivation rec { ./all.bash ''; - setupHook = ./setup-hook.sh; - meta = with stdenv.lib; { branch = "1.4"; homepage = "http://golang.org/"; diff --git a/pkgs/development/compilers/go/remove-test-pie-1.13.patch b/pkgs/development/compilers/go/remove-test-pie-1.15.patch index 05f18b813f9..f00685feba9 100644 --- a/pkgs/development/compilers/go/remove-test-pie-1.13.patch +++ b/pkgs/development/compilers/go/remove-test-pie-1.15.patch @@ -1,13 +1,13 @@ diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go -index f63c94697c..f02eff7064 100644 +index e1cd4965c3..66bf980fc6 100644 --- a/src/cmd/dist/test.go +++ b/src/cmd/dist/test.go -@@ -574,29 +574,6 @@ func (t *tester) registerTests() { +@@ -584,29 +584,6 @@ func (t *tester) registerTests() { }) } - // Test internal linking of PIE binaries where it is supported. -- if goos == "linux" && (goarch == "amd64" || goarch == "arm64") { +- if t.internalLinkPIE() { - t.tests = append(t.tests, distTest{ - name: "pie_internal", - heading: "internal linking of -buildmode=pie", @@ -17,7 +17,7 @@ index f63c94697c..f02eff7064 100644 - }, - }) - // Also test a cgo package. -- if t.cgoEnabled { +- if t.cgoEnabled && t.internalLink() { - t.tests = append(t.tests, distTest{ - name: "pie_internal_cgo", - heading: "internal linking of -buildmode=pie", diff --git a/pkgs/development/compilers/go/setup-hook.sh b/pkgs/development/compilers/go/setup-hook.sh deleted file mode 100644 index 7dce15eeb10..00000000000 --- a/pkgs/development/compilers/go/setup-hook.sh +++ /dev/null @@ -1,5 +0,0 @@ -addToGoPath() { - addToSearchPath GOPATH $1/share/go -} - -addEnvHooks "$targetOffset" addToGoPath diff --git a/pkgs/development/compilers/go/skip-cgo-tests-1.15.patch b/pkgs/development/compilers/go/skip-cgo-tests-1.15.patch new file mode 100644 index 00000000000..945d3ef8d12 --- /dev/null +++ b/pkgs/development/compilers/go/skip-cgo-tests-1.15.patch @@ -0,0 +1,13 @@ +diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go +index e1cd4965c3..0980d044df 100644 +--- a/src/cmd/dist/test.go ++++ b/src/cmd/dist/test.go +@@ -1136,7 +1136,7 @@ func (t *tester) cgoTest(dt *distTest) error { + t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal") + } + t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie") +- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie") ++ //t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie") + } + } + } diff --git a/pkgs/development/compilers/go/skip-external-network-tests-1.15.patch b/pkgs/development/compilers/go/skip-external-network-tests-1.15.patch new file mode 100644 index 00000000000..0ea1050cd8e --- /dev/null +++ b/pkgs/development/compilers/go/skip-external-network-tests-1.15.patch @@ -0,0 +1,13 @@ +diff --git a/src/net/dial_test.go b/src/net/dial_test.go +index 01582489de..5b5faa5424 100644 +--- a/src/net/dial_test.go ++++ b/src/net/dial_test.go +@@ -990,6 +990,8 @@ func TestDialerControl(t *testing.T) { + // except that it won't skip testing on non-mobile builders. + func mustHaveExternalNetwork(t *testing.T) { + t.Helper() ++ t.Skipf("Nix sandbox does not have networking") ++ + mobile := runtime.GOOS == "android" || runtime.GOOS == "darwin" && runtime.GOARCH == "arm64" + if testenv.Builder() == "" || mobile { + testenv.MustHaveExternalNetwork(t) diff --git a/pkgs/development/compilers/go/skip-test-extra-files-on-386.patch b/pkgs/development/compilers/go/skip-test-extra-files-on-386.patch deleted file mode 100644 index afe5aea3d91..00000000000 --- a/pkgs/development/compilers/go/skip-test-extra-files-on-386.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/src/os/exec/exec_test.go b/src/os/exec/exec_test.go -index 558345ff63..22129bf022 100644 ---- a/src/os/exec/exec_test.go -+++ b/src/os/exec/exec_test.go -@@ -593,6 +593,10 @@ func TestExtraFiles(t *testing.T) { - t.Skipf("skipping test on %q", runtime.GOOS) - } - -+ if runtime.GOOS == "linux" && runtime.GOARCH == "386" { -+ t.Skipf("skipping test on %q %q", runtime.GOARCH, runtime.GOOS) -+ } -+ - // Ensure that file descriptors have not already been leaked into - // our environment. - if !testedAlreadyLeaked { diff --git a/pkgs/development/compilers/go/skip-test-extra-files-on-aarch32.patch b/pkgs/development/compilers/go/skip-test-extra-files-on-aarch32.patch deleted file mode 100644 index f3566b3ddaa..00000000000 --- a/pkgs/development/compilers/go/skip-test-extra-files-on-aarch32.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/src/os/exec/exec_test.go b/src/os/exec/exec_test.go -index 558345ff63..22129bf022 100644 ---- a/src/os/exec/exec_test.go -+++ b/src/os/exec/exec_test.go -@@ -593,6 +593,10 @@ func TestExtraFiles(t *testing.T) { - t.Skipf("skipping test on %q", runtime.GOOS) - } - -+ if runtime.GOOS == "linux" && runtime.GOARCH == "arm" { -+ t.Skipf("skipping test on %q %q", runtime.GOARCH, runtime.GOOS) -+ } -+ - // Ensure that file descriptors have not already been leaked into - // our environment. - if !testedAlreadyLeaked { diff --git a/pkgs/development/compilers/go/ssl-cert-file-1.15.patch b/pkgs/development/compilers/go/ssl-cert-file-1.15.patch new file mode 100644 index 00000000000..1884c681ca3 --- /dev/null +++ b/pkgs/development/compilers/go/ssl-cert-file-1.15.patch @@ -0,0 +1,76 @@ +diff --git a/src/crypto/x509/root_darwin_amd64.go b/src/crypto/x509/root_darwin_amd64.go +index ce88de025e..258ecc45d1 100644 +--- a/src/crypto/x509/root_darwin_amd64.go ++++ b/src/crypto/x509/root_darwin_amd64.go +@@ -10,6 +10,7 @@ import ( + "bytes" + macOS "crypto/x509/internal/macos" + "fmt" ++ "io/ioutil" + "os" + "strings" + ) +@@ -25,6 +26,14 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate + var loadSystemRootsWithCgo func() (*CertPool, error) + + func loadSystemRoots() (*CertPool, error) { ++ if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" { ++ data, err := ioutil.ReadFile(file) ++ if err == nil { ++ roots := NewCertPool() ++ roots.AppendCertsFromPEM(data) ++ return roots, nil ++ } ++ } + var trustedRoots []*Certificate + untrustedRoots := make(map[string]bool) + +diff --git a/src/crypto/x509/root_darwin_ios.go b/src/crypto/x509/root_darwin_ios.go +index 5ecc4911b3..14b4205c00 100644 +--- a/src/crypto/x509/root_darwin_ios.go ++++ b/src/crypto/x509/root_darwin_ios.go +@@ -6,6 +6,11 @@ + + package x509 + ++import ( ++ "io/ioutil" ++ "os" ++) ++ + func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) { + return nil, nil + } +@@ -14,6 +19,14 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate + var loadSystemRootsWithCgo func() (*CertPool, error) + + func loadSystemRoots() (*CertPool, error) { ++ if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" { ++ data, err := ioutil.ReadFile(file) ++ if err == nil { ++ roots := NewCertPool() ++ roots.AppendCertsFromPEM(data) ++ return roots, nil ++ } ++ } + p := NewCertPool() + p.AppendCertsFromPEM([]byte(systemRootsPEM)) + return p, nil +diff --git a/src/crypto/x509/root_unix.go b/src/crypto/x509/root_unix.go +index b48e618a65..195c1ff25a 100644 +--- a/src/crypto/x509/root_unix.go ++++ b/src/crypto/x509/root_unix.go +@@ -42,6 +42,13 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate + + func loadSystemRoots() (*CertPool, error) { + roots := NewCertPool() ++ if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" { ++ data, err := ioutil.ReadFile(file) ++ if err == nil { ++ roots.AppendCertsFromPEM(data) ++ return roots, nil ++ } ++ } + + files := certFiles + if f := os.Getenv(certFileEnv); f != "" { |