This introduces the ability to have additional certificates in the trust
store using an override, similar to how the blacklist is done. If the
certificates are provided in OpenSSL TRUSTED CERTIFICATE form, then
those trust bits will be respected.
It also adds a p11-kit compatible trust store output.
Usually, on the stable channel, we have a nss_latest attribute that is
more up to date than the nss attribute (which is usually frozen during
branch-off and only receives security updates). Cacerts are a sensitive
matter and should be updated more frequently than the stable NSS package,
if required. By making the update script aware of the nss_latest
attribute we can prefer that when it exists.
By having this change in the unstable branch of Nixpgks we can carry it
from release to release without requiring more churn from those doing
the stable release maintenance.
This doesn't do anything. Building with includeEmail = true produces
the same set as includeEmail = false, and the substitute rule removes
a random dictionary index operation.
In [#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.
[#100765]: https://github.com/NixOS/nixpkgs/pull/100765
Triggering this setupHook for dependencies at targetOffset does not work
in cross-compilation cases where such a dependency is lacking. This
simplified setupHook is more robust.
Some SSL libs don't react to $SSL_CERT_FILE.
That actually makes sense to me, as we add this behavior
as nixpkgs-specific, so it seems "safer" to use $NIX_*.
He prefers to contribute to his own nixpkgs fork triton.
Since he is still marked as maintainer in many packages
this leaves the wrong impression he still maintains those.
Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.
Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
The `mk-ca-bundle.pl` script manages quite well using only curl but
fails without LWP being present due to a `use` statement. This removes
the Perl import of the LWP library and adds curl as a build input.
This is generated with a more recent version of mk-ca-bundle.pl. The
previous version mistakenly dropped some certificates, like "Verisign
Class 3 Public Primary Certification Authority".
