qdigidoc: fix TSL loading

These are what's used to regularly push new certificate fingerprints to clients, so we need to keep the original URL configured. Use the same approach as fedora, ship an "initial" TSL as a patch, and also patch out the downloading part during the build phase. This seems to reliably get ID Card and SmartID signing to work again. Fixes #334397. Fixes #307927.
2024-11-20 01:32:06 +02:00 · 2024-11-20 01:32:06 +02:00 · 0e29f00608
commit 0e29f00608
parent f93401eeed
2 changed files with 11128 additions and 11 deletions
--- a/pkgs/tools/security/qdigidoc/default.nix
+++ b/pkgs/tools/security/qdigidoc/default.nix
@ -31,21 +31,15 @@ mkDerivation rec {
      url = "https://github.com/open-eid/DigiDoc4-Client/commit/bb324d18f0452c2ab1b360ff6c42bb7f11ea60d7.patch";
      hash = "sha256-JpaU9inupSDsZKhHk+sp5g+oUynVFxR7lshjTXoFIbU=";
    })
+
+    # Regularly update this with what's on https://src.fedoraproject.org/rpms/qdigidoc/blob/rawhide/f/sandbox.patch
+    # This prevents attempts to download TSL lists inside the build sandbox.
+    # The list files are regularly updated (get new signatures), though this also happens at application runtime.
+    ./sandbox.patch
  ];

-  # Check https://dss.nowina.lu/tl-info, "Pivots loaded" section
-  tsl = fetchurl {
-    url = "https://ec.europa.eu/tools/lotl/eu-lotl-pivot-341.xml";
-    hash = "sha256-/TI8qYxXzourjGFPBpsQzi9Depi7lLQ2JaV+FyP0FtE=";
-  };
-
  nativeBuildInputs = [ cmake gettext pkg-config qttools ];

-  postPatch = ''
-    substituteInPlace client/CMakeLists.txt \
-      --replace $\{TSL_URL} file://${tsl}
-  '';
-
  buildInputs = [
    flatbuffers
    libdigidocpp
--- a/pkgs/tools/security/qdigidoc/sandbox.patch
+++ b/pkgs/tools/security/qdigidoc/sandbox.patch