fetchurl: revert enabling TLS verification when NIX_SSL_CERT_FILE
This reverts commit f829274128
.
This commit is contained in:
parent
f251273e41
commit
31ab653f7e
@ -19,8 +19,7 @@ curl=(
|
||||
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
|
||||
)
|
||||
|
||||
# Default fallback value defined in pkgs/build-support/fetchurl/default.nix
|
||||
if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
|
||||
if ! [ -f "$SSL_CERT_FILE" ]; then
|
||||
curl+=(--insecure)
|
||||
fi
|
||||
|
||||
|
@ -220,26 +220,20 @@ stdenvNoCC.mkDerivation (
|
||||
# New-style output content requirements.
|
||||
inherit (hash_) outputHashAlgo outputHash;
|
||||
|
||||
# Disable TLS verification only when we know the hash and no credentials are
|
||||
# needed to access the resource
|
||||
SSL_CERT_FILE =
|
||||
let
|
||||
nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
|
||||
in
|
||||
if nixSSLCertFile != "" then
|
||||
nixSSLCertFile
|
||||
else if
|
||||
if
|
||||
(
|
||||
hash_.outputHash == ""
|
||||
|| hash_.outputHash == lib.fakeSha256
|
||||
|| hash_.outputHash == lib.fakeSha512
|
||||
|| hash_.outputHash == lib.fakeHash
|
||||
# Make sure we always enforce TLS verification when credentials
|
||||
# are needed to access the resource
|
||||
|| netrcPhase != null
|
||||
)
|
||||
then
|
||||
"${cacert}/etc/ssl/certs/ca-bundle.crt"
|
||||
else
|
||||
# Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
|
||||
"/no-cert-file.crt";
|
||||
|
||||
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
|
||||
|
Loading…
Reference in New Issue
Block a user