wine: Look for root certs at $NIX_SSL_CERT_FILE

Closes #78365

2 files changed, 29 insertions, 0 deletions

diff --git a/pkgs/misc/emulators/wine/base.nix b/pkgs/misc/emulators/wine/base.nix
index 0b6eab70263..025158b0717 100644
--- a/pkgs/misc/emulators/wine/base.nix
+++ b/pkgs/misc/emulators/wine/base.nix
@@ -68,6 +68,11 @@ stdenv.mkDerivation ((lib.optionalAttrs (buildScript != null) {
   ])
   ++ [ pkgs.xorg.libX11 pkgs.perl ]));
 
+  patches = [
+    # Also look for root certificates at $NIX_SSL_CERT_FILE
+    ./cert-path.patch
+  ];
+
   # Wine locates a lot of libraries dynamically through dlopen().  Add
   # them to the RPATH so that the user doesn't have to set them in
   # LD_LIBRARY_PATH.
diff --git a/pkgs/misc/emulators/wine/cert-path.patch b/pkgs/misc/emulators/wine/cert-path.patch
new file mode 100644
index 00000000000..da01a477810
--- /dev/null
+++ b/pkgs/misc/emulators/wine/cert-path.patch
@@ -0,0 +1,24 @@
+diff --git a/dlls/crypt32/rootstore.c b/dlls/crypt32/rootstore.c
+index f795181..fb4926a 100644
+--- a/dlls/crypt32/rootstore.c
++++ b/dlls/crypt32/rootstore.c
+@@ -18,6 +18,7 @@
+ #include "config.h"
+ #include <stdarg.h>
+ #include <stdio.h>
++#include <stdlib.h> /* getenv */
+ #include <sys/types.h>
+ #ifdef HAVE_SYS_STAT_H
+ #include <sys/stat.h>
+@@ -916,6 +917,11 @@ static void read_trusted_roots_from_known_locations(HCERTSTORE store)
+ 
+         for (i = 0; !ret && i < ARRAY_SIZE(CRYPT_knownLocations); i++)
+             ret = import_certs_from_path(CRYPT_knownLocations[i], from, TRUE);
++
++        char *nix_cert_file = getenv("NIX_SSL_CERT_FILE");
++        if (nix_cert_file != NULL)
++            ret = import_certs_from_path(nix_cert_file, from, TRUE);
++
+         check_and_store_certs(from, store);
+     }
+     CertCloseStore(from, 0);