From 0046802ab6d3389b45f3e9fce6f5e2746e2e7f80 Mon Sep 17 00:00:00 2001 From: Matthew Bauer Date: Tue, 9 Jun 2020 12:56:27 -0500 Subject: [PATCH] fetchurl: only allow empty hash when cacert is available MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We can use cacert to validate that the data passes SSL certificates. Normally, this doesn’t happen because we already have the hash, but in the hash = "" case we don’t. --- pkgs/build-support/fetchurl/builder.sh | 8 +++++++- pkgs/build-support/fetchurl/default.nix | 11 +++++++++-- pkgs/top-level/all-packages.nix | 1 + 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/pkgs/build-support/fetchurl/builder.sh b/pkgs/build-support/fetchurl/builder.sh index e93c98419a67..5b04a702aff4 100644 --- a/pkgs/build-support/fetchurl/builder.sh +++ b/pkgs/build-support/fetchurl/builder.sh @@ -15,8 +15,14 @@ curl=( --retry 3 --disable-epsv --cookie-jar cookies - --insecure --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion" +) + +if ! [ -f "$SSL_CERT_FILE" ]; then + curl+=(--insecure) +fi + +curl+=( $curlOpts $NIX_CURL_FLAGS ) diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index 39ec5bf5f2c4..c65738aef41a 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -1,4 +1,6 @@ -{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC, curl }: # Note that `curl' may be `null', in case of the native stdenvNoCC. +{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC +, curl # Note that `curl' may be `null', in case of the native stdenvNoCC. +, cacert ? null }: let @@ -112,7 +114,8 @@ let else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; } else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; } else if sha1 != "" then { outputHashAlgo = "sha1"; outputHash = sha1; } - else { outputHashAlgo = "sha256"; outputHash = ""; }; + else if cacert != null then { outputHashAlgo = "sha256"; outputHash = ""; } + else throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}"; in stdenvNoCC.mkDerivation { @@ -134,6 +137,10 @@ stdenvNoCC.mkDerivation { # New-style output content requirements. inherit (hash_) outputHashAlgo outputHash; + SSL_CERT_FILE = if hash_.outputHash == "" + then "${cacert}/etc/ssl/certs/ca-bundle.crt" + else "/no-cert-file.crt"; + outputHashMode = if (recursiveHash || executable) then "recursive" else "flat"; inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e3a6fd640311..1b7a5ef381de 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -331,6 +331,7 @@ in then buildPackages.fetchurl # No need to do special overrides twice, else makeOverridable (import ../build-support/fetchurl) { inherit lib stdenvNoCC buildPackages; + inherit cacert; curl = buildPackages.curl.override (old: rec { # break dependency cycles fetchurl = stdenv.fetchurlBoot;