cacert: extract certdata.txt from main package

This allows users to specify custom CAs without needing to download the entirety of the NSS source code - just certdata.txt, which should end up in cache.nixos.org.
2024-09-30 17:49:58 +03:00 · 2021-10-08 01:20:51 +00:00 · 2021-10-08 01:20:51 +00:00 · 91e4957081
commit 91e4957081
parent 906f44cef3
2 changed files with 40 additions and 19 deletions
--- a/pkgs/data/misc/cacert/default.nix
+++ b/pkgs/data/misc/cacert/default.nix
@ -2,12 +2,14 @@
 , stdenv
 , writeText
 , fetchurl
-, nss
 , buildcatrust
 , blacklist ? []
 , extraCertificateFiles ? []
 , extraCertificateStrings ? []

+# Used by update.sh
+, nssOverride ? null
+
 # Used for tests only
 , runCommand
 , cacert
@ -17,24 +19,49 @@
 let
  blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
  extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
+
+  srcVersion = "3.71";
+  version = if nssOverride != null then nssOverride.version else srcVersion;
+  meta = with lib; {
+    homepage = "https://curl.haxx.se/docs/caextract.html";
+    description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
+    platforms = platforms.all;
+    maintainers = with maintainers; [ andir fpletz lukegb ];
+    license = licenses.mpl20;
+  };
+  certdata = stdenv.mkDerivation {
+    pname = "nss-cacert-certdata";
+    inherit version;
+
+    src = if nssOverride != null then nssOverride.src else fetchurl {
+      url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
+      sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r";
+    };
+
+    dontBuild = true;
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir $out
+      cp nss/lib/ckfw/builtins/certdata.txt $out
+
+      runHook postInstall
+    '';
+
+    inherit meta;
+  };
 in
 stdenv.mkDerivation rec {
  pname = "nss-cacert";
-  version = "3.71";
+  inherit version;

-  src = fetchurl {
-    url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
-    sha256 = "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r";
-  };
+  src = certdata;

  outputs = [ "out" "unbundled" "p11kit" ];

  nativeBuildInputs = [ buildcatrust ];

-  configurePhase = ''
-    ln -s nss/lib/ckfw/builtins/certdata.txt
-  '';
-
  buildPhase = ''
    mkdir unbundled
    buildcatrust \
@ -176,11 +203,5 @@ stdenv.mkDerivation rec {
    };
  };

-  meta = with lib; {
-    homepage = "https://curl.haxx.se/docs/caextract.html";
-    description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
-    platforms = platforms.all;
-    maintainers = with maintainers; [ andir fpletz lukegb ];
-    license = licenses.mpl20;
-  };
+  inherit meta;
 }
--- a/pkgs/data/misc/cacert/update.sh
+++ b/pkgs/data/misc/cacert/update.sh
@ -28,7 +28,7 @@ BASEDIR="$(dirname "$0")/../../../.."


 CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
-PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.overrideAttrs (_: { inherit (nss_pkg) src version; })).out")
+PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; let nss_pkg = pkgs.nss_latest or pkgs.nss; in (cacert.override { nssOverride = nss_pkg; }).out")

 # Check the hash of the etc subfolder
 # We can't check the entire output as that contains the nix-support folder
@ -38,5 +38,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")

 if [[ "$CURRENT_HASH" !=  "$PATCHED_HASH" ]]; then
    NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .)
-    update-source-version cacert "$NSS_VERSION"
+    update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
 fi