diff --git a/pkgs/build-support/fetchbower/default.nix b/pkgs/build-support/fetchbower/default.nix index 3e1f0eff84af..ba1c8420e91c 100644 --- a/pkgs/build-support/fetchbower/default.nix +++ b/pkgs/build-support/fetchbower/default.nix @@ -11,7 +11,6 @@ let fetchbower = name: version: target: outputHash: stdenv.mkDerivation { name = "${cleanName name}-${bowerVersion version}"; - SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; buildCommand = '' fetch-bower --quiet --out=$PWD/out "${name}" "${target}" "${version}" # In some cases, the result of fetchBower is different depending @@ -23,7 +22,7 @@ let outputHashMode = "recursive"; outputHashAlgo = "sha256"; inherit outputHash; - buildInputs = [ bower2nix ]; + buildInputs = [ cacert bower2nix ]; }; in fetchbower diff --git a/pkgs/build-support/fetchdarcs/default.nix b/pkgs/build-support/fetchdarcs/default.nix index 2df1b136c559..48d87cc5d108 100644 --- a/pkgs/build-support/fetchdarcs/default.nix +++ b/pkgs/build-support/fetchdarcs/default.nix @@ -7,9 +7,8 @@ if md5 != "" then else stdenv.mkDerivation { name = "fetchdarcs"; - NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; builder = ./builder.sh; - buildInputs = [darcs]; + buildInputs = [cacert darcs]; outputHashAlgo = "sha256"; outputHashMode = "recursive"; diff --git a/pkgs/build-support/fetchgx/default.nix b/pkgs/build-support/fetchgx/default.nix index ea91a0854d16..65061ce0f63e 100644 --- a/pkgs/build-support/fetchgx/default.nix +++ b/pkgs/build-support/fetchgx/default.nix @@ -6,7 +6,7 @@ stdenv.mkDerivation { name = "${name}-gxdeps"; inherit src; - buildInputs = [ go gx gx-go ]; + buildInputs = [ cacert go gx gx-go ]; outputHashAlgo = "sha256"; outputHashMode = "recursive"; @@ -14,8 +14,6 @@ stdenv.mkDerivation { phases = [ "unpackPhase" "buildPhase" "installPhase" ]; - NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; - buildPhase = '' export GOPATH=$(pwd)/vendor mkdir -p vendor diff --git a/pkgs/build-support/rust/default.nix b/pkgs/build-support/rust/default.nix index 57948c33bbc3..d720532e1479 100644 --- a/pkgs/build-support/rust/default.nix +++ b/pkgs/build-support/rust/default.nix @@ -32,7 +32,7 @@ in stdenv.mkDerivation (args // { patchRegistryDeps = ./patch-registry-deps; - buildInputs = [ git rust.cargo rust.rustc ] ++ buildInputs; + buildInputs = [ cacert git rust.cargo rust.rustc ] ++ buildInputs; configurePhase = args.configurePhase or '' runHook preConfigure @@ -60,7 +60,6 @@ in stdenv.mkDerivation (args // { unset cargoDepsCopy export RUST_LOG=${logLevel} - export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt '' + (args.postUnpack or ""); buildPhase = with builtins; args.buildPhase or '' diff --git a/pkgs/build-support/rust/fetchcargo.nix b/pkgs/build-support/rust/fetchcargo.nix index 9b3ba5303398..8c136d864883 100644 --- a/pkgs/build-support/rust/fetchcargo.nix +++ b/pkgs/build-support/rust/fetchcargo.nix @@ -19,7 +19,6 @@ stdenv.mkDerivation { exit 1 fi - export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt export CARGO_HOME=$(mktemp -d cargo-home.XXX) cargo vendor diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 275ae6dc2d86..91af84c42245 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -52,6 +52,8 @@ stdenv.mkDerivation rec { cp -v ca-bundle.crt $out/etc/ssl/certs ''; + setupHook = ./setup-hook.sh; + meta = { homepage = https://curl.haxx.se/docs/caextract.html; description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; diff --git a/pkgs/data/misc/cacert/setup-hook.sh b/pkgs/data/misc/cacert/setup-hook.sh new file mode 100644 index 000000000000..ff68bf0e1808 --- /dev/null +++ b/pkgs/data/misc/cacert/setup-hook.sh @@ -0,0 +1,6 @@ +cacertHook() { + export SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt +} + +envHooks+=(cacertHook) +crossEnvHooks+=(cacertHook) diff --git a/pkgs/development/compilers/go/1.7.nix b/pkgs/development/compilers/go/1.7.nix index b1230da5a142..82ed9b53c60f 100644 --- a/pkgs/development/compilers/go/1.7.nix +++ b/pkgs/development/compilers/go/1.7.nix @@ -35,7 +35,7 @@ stdenv.mkDerivation rec { # perl is used for testing go vet nativeBuildInputs = [ perl which pkgconfig patch ]; - buildInputs = [ pcre ]; + buildInputs = [ cacert pcre ]; propagatedBuildInputs = optionals stdenv.isDarwin [ Security Foundation ]; hardeningDisable = [ "all" ]; @@ -116,8 +116,6 @@ stdenv.mkDerivation rec { }) ]; - NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; - GOOS = if stdenv.isDarwin then "darwin" else "linux"; GOARCH = if stdenv.isDarwin then "amd64" else if stdenv.system == "i686-linux" then "386" diff --git a/pkgs/development/compilers/go/1.8.nix b/pkgs/development/compilers/go/1.8.nix index 23fd3b0f2912..651eb79d75a7 100644 --- a/pkgs/development/compilers/go/1.8.nix +++ b/pkgs/development/compilers/go/1.8.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation rec { # perl is used for testing go vet nativeBuildInputs = [ perl which pkgconfig patch makeWrapper ] ++ optionals stdenv.isLinux [ procps ]; - buildInputs = [ pcre ] + buildInputs = [ cacert pcre ] ++ optionals stdenv.isLinux [ stdenv.glibc.out stdenv.glibc.static ]; propagatedBuildInputs = optionals stdenv.isDarwin [ Security Foundation ]; @@ -122,8 +122,6 @@ stdenv.mkDerivation rec { substituteInPlace "src/cmd/link/internal/ld/lib.go" --replace dsymutil ${llvm}/bin/llvm-dsymutil ''; - NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; - GOOS = if stdenv.isDarwin then "darwin" else "linux"; GOARCH = if stdenv.isDarwin then "amd64" else if stdenv.system == "i686-linux" then "386" diff --git a/pkgs/development/compilers/go/1.9.nix b/pkgs/development/compilers/go/1.9.nix index e908a8725e2a..aab7964148b4 100644 --- a/pkgs/development/compilers/go/1.9.nix +++ b/pkgs/development/compilers/go/1.9.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation rec { # perl is used for testing go vet nativeBuildInputs = [ perl which pkgconfig patch makeWrapper ] ++ optionals stdenv.isLinux [ procps ]; - buildInputs = [ pcre ] + buildInputs = [ cacert pcre ] ++ optionals stdenv.isLinux [ stdenv.glibc.out stdenv.glibc.static ]; propagatedBuildInputs = optionals stdenv.isDarwin [ Security Foundation ]; @@ -128,8 +128,6 @@ stdenv.mkDerivation rec { substituteInPlace "src/cmd/link/internal/ld/lib.go" --replace dsymutil ${llvm}/bin/llvm-dsymutil ''; - NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; - GOOS = if stdenv.isDarwin then "darwin" else "linux"; GOARCH = if stdenv.isDarwin then "amd64" else if stdenv.system == "i686-linux" then "386" diff --git a/pkgs/development/compilers/rust/cargo.nix b/pkgs/development/compilers/rust/cargo.nix index fb3001bbf17b..386ffa622944 100644 --- a/pkgs/development/compilers/rust/cargo.nix +++ b/pkgs/development/compilers/rust/cargo.nix @@ -24,7 +24,7 @@ rustPlatform.buildRustPackage rec { passthru.rustc = rustc; nativeBuildInputs = [ pkgconfig ]; - buildInputs = [ file curl python openssl cmake zlib makeWrapper libgit2 ] + buildInputs = [ cacert file curl python openssl cmake zlib makeWrapper libgit2 ] ++ stdenv.lib.optionals stdenv.isDarwin [ CoreFoundation libiconv ]; LIBGIT2_SYS_USE_PKG_CONFIG=1; @@ -48,8 +48,6 @@ rustPlatform.buildRustPackage rec { ''; checkPhase = '' - # Export SSL_CERT_FILE as without it one test fails with SSL verification error - export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt # Disable cross compilation tests export CFG_DISABLE_CROSS_TESTS=1 cargo test diff --git a/pkgs/development/r-modules/default.nix b/pkgs/development/r-modules/default.nix index a435ee65e52c..b7b411a7decf 100644 --- a/pkgs/development/r-modules/default.nix +++ b/pkgs/development/r-modules/default.nix @@ -3,7 +3,7 @@ { R, pkgs, overrides }: let - inherit (pkgs) fetchurl stdenv lib; + inherit (pkgs) cacert fetchurl stdenv lib; buildRPackage = pkgs.callPackage ./generic-builder.nix { inherit R; @@ -912,9 +912,7 @@ let }); geojsonio = old.geojsonio.overrideDerivation (attrs: { - preConfigure = '' - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ''; + buildInputs = [ cacert ] ++ attrs.buildInputs; }); rstan = old.rstan.overrideDerivation (attrs: { diff --git a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix index 809d0ba5264c..8e85bfda3f2c 100644 --- a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix +++ b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix @@ -32,8 +32,7 @@ stdenv.mkDerivation rec { # traffic, so don't do that. preferLocalBuild = true; - buildInputs = [ git gnupg ]; - NIX_SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; + buildInputs = [ cacert git gnupg ]; } '' git init src && ( cd src