Skip to content

fetchedMavenDeps: support proxy and custom cacerts#420608

Merged
philiptaron merged 4 commits intoNixOS:masterfrom
flokli:maven-proxy
Jul 1, 2025
Merged

fetchedMavenDeps: support proxy and custom cacerts#420608
philiptaron merged 4 commits intoNixOS:masterfrom
flokli:maven-proxy

Conversation

@flokli
Copy link
Member

@flokli flokli commented Jun 27, 2025
edited
Loading

Currently, packages using maven.buildMavenPackage do not honor impure environment variables like HTTP[S]_PROXY, NO_PROXY and NIX_SSL_CERT_FILE.

We normally propagate these env vars into FODs, so builds running in environments where such proxies are necessary can succeed.

This was not wired up for the maven FOD fetcher, most probably because maven does not honor these environment variables out of the box. Maven requires the user to configure an XML file with proxy settings, and pass a Java Keystore with custom CA certificates imported.

This now happens dynamically at runtime, if the common environment variables are detected.

I tested this (on NixOS) by doing the following:

  • start mitmproxy without any command line arguments
  • nix-store --add ~/.mitmproxy/mitmproxy-ca-cert.pem
  • sudo systemctl edit --runtime nix-daemon.service && sudo systemctl restart nix-daemon.service, adding Environment=HTTP_PROXY=http://127.0.0.1:8080, Environment=HTTPS_PROXY=http://127.0.0.1:8080 and Environment=NIX_SSL_CERT_FILE=/nix/store/…-mitmproxy-ca-cert.pem to a new [Service] section.
  • starting off a build, listing the same /nix/store/…-mitmproxy-ca-cert.pem store path in the ssl-cert-file and extra-sandbox-paths again: nix-build -A openrefine.fetchedMavenDeps --builders '' --check --option extra-sandbox-paths /nix/store/…-mitmproxy-ca-cert.pem.
    Editing your global nix.conf and setting ssl-cert-file might be another way, YMMV.

With this done, I was able to see maven requesting assets through the proxy.

In the future, this tooling might be used to steer Maven to a MITM Caching Proxy, like it's done for Gradle in #272380, but that's left for a followup.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • Nixpkgs 25.11 Release Notes (or backporting 24.11 and 25.05 Nixpkgs Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
  • NixOS 25.11 Release Notes (or backporting 24.11 and 25.05 NixOS Release notes)
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

Add a 👍 reaction to pull requests you find important.

flokli added 4 commits June 27, 2025 21:27
@flokli
lib/fetchers: remove unused imports
f8b6b6f
@flokli
fetchedMavenDeps: add impureEnvVars to FOD
c6d583c 
This is a fetcher, so impureEnvVars like HTTP_PROXY etc are ok to be
propagated into the FOD.
@flokli
fetchedMavenDeps: honor HTTP[S]_PROXY, NO_PROXY env vars
554b465 
Maven doesn't honor HTTP[S]_PROXY and NO_PROXY env vars out of the box.
Instead, it expects the user to configure a settings.xml file.
We however impurely pass only these env vars in FODs.
This creates the XML file on demand, if one or more env vars is set.
@flokli
fetchedMavenDeps: honor NIX_SSL_CERT_FILE
cd931bf 
Java doesn't honor NIX_SSL_CERT_FILE out of the box, but instead uses
its own concept of a key store.

If we see the environment variable being set, we can create a new key
store with all certs in that file and pass it to the JVM.
@flokli flokli requested review from Atemu, GetPsyched and chayleaf June 27, 2025 18:59
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 6.topic: java Including JDK, tooling, other languages, other VMs 6.topic: lib The Nixpkgs function library labels Jun 27, 2025
Atemu
Atemu approved these changes Jun 27, 2025
View reviewed changes
Copy link
Member

@Atemu Atemu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intention is sound IMV and this feels like a good implementation given the constraints.

I had a glance and the diff broadly LGTM too.

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Jun 27, 2025
@philiptaron philiptaron merged commit 1697762 into NixOS:master Jul 1, 2025
34 of 35 checks passed
@flokli flokli deleted the maven-proxy branch July 1, 2025 06:57
@deftdawg
Copy link
Contributor

deftdawg commented Aug 20, 2025

Unfortunately, this PR has broken my ability to build docker images using maven.buildMavenPackage due to CA certificates not being trusted (by the CA bundle failing to import correctly).

Broken: Branch including this PR: https://github.com/deftdawg/nixpkgs/tree/openjdk21-CVE-2025-30749

Uneffected: Branch based on commit prior to this PR: https://github.com/deftdawg/nixpkgs/tree/preFetchedMaven-with-JDK-CVE-Fix

Being on MacOS, I'm required to build docker containers for validation inside a Docker container (docker run -v /var/run/docker.sock:/var/run/docker.sock -v $PWD:/root -w /root -it --name maven-builder nixos/nix sh -c "nix-build -A dockerImage")

When I do that on a nixpkgs that contains this PR, the build fails to download files from our artifactory repo (has valid cert trusted by the ca bundle)

When mvnParameters = "--debug"; is enabled we see the following:

[FATAL] Non-resolvable parent POM for com.test:testproject:1.2.3: 
 The following artifacts could not be resolved: org.springframework.boot:spring-boot-starter-parent:pom:3.5.4 (absent): 
  Could not transfer artifact org.springframework.boot:spring-boot-starter-parent:pom:3.5.4 from/to test-virtual (https://m2.test.com/artifactory/test-virtual/): 
    PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
      unable to find valid certification path to requested target ...

It appears as though the buildMavenPackage attempts to import the system's CA certificates (the certificate shown is the first one in the system CA-bundle), however it either fails to do so or fails to apply the change to the JVM parameters...

This was discovered validating #432442

verbose output showing certificate import 
setting builder env variable 'buildPhase'='runHook preBuild

MAVEN_EXTRA_ARGS=""

# handle proxy
if [[ -n "${HTTP_PROXY-}" ]] || [[ -n "${HTTPS_PROXY-}" ]] || [[ -n "${NO_PROXY-}" ]];then
  mvnSettingsFile="$(mktemp -d)/settings.xml"
  /nix/store/kpfcp7xnda6ym0hdb1mjzf2a0n4ml4qg-write-proxy-settings $mvnSettingsFile
  MAVEN_EXTRA_ARGS="-s=$mvnSettingsFile"
fi

# handle cacert by populating a trust store on the fly
if [[ -n "${NIX_SSL_CERT_FILE-}" ]] && [[ "${NIX_SSL_CERT_FILE-}" != "/no-cert-file.crt" ]];then
  keyStoreFile="$(mktemp -d)/keystore"
  keyStorePwd="$(head -c10 /dev/random | base32)"
  echo y | /nix/store/m997585izg3jzfc85cjn5indxqcj1w9q-openjdk-21.0.8+9/bin/keytool -importcert -file "$NIX_SSL_CERT_FILE" -alias alias -keystore "$keyStoreFile" -storepass "$keyStorePwd"
  MAVEN_EXTRA_ARGS="$MAVEN_EXTRA_ARGS -Djavax.net.ssl.trustStore=$keyStoreFile -Djavax.net.ssl.trustStorePassword=$keyStorePwd"
fi
mvn $MAVEN_EXTRA_ARGS package -Dmaven.repo.local=$out/.m2  --debug -Djavax.net.ssl.trustStore=/nix/store/dizc1gwzfn1w888c0b4drcbb3bf0ylhw-nss-cacert-3.113.1/etc/ssl/certs/ca-bundle.crt -Djavax.net.ssl.trustStoreType=PEM
runHook postBuild
'
setting builder env variable 'builder'='/nix/store/7z7zi55hb1kck2sm4jx0sbcbwcmajyrh-bash-5.3p0/bin/bash'
setting builder env variable 'cmakeFlags'=''
setting builder env variable 'configureFlags'=''
setting builder env variable 'depsBuildBuild'=''
setting builder env variable 'depsBuildBuildPropagated'=''
setting builder env variable 'depsBuildTarget'=''
setting builder env variable 'depsBuildTargetPropagated'=''
setting builder env variable 'depsHostHost'=''
setting builder env variable 'depsHostHostPropagated'=''
setting builder env variable 'depsTargetTarget'=''
setting builder env variable 'depsTargetTargetPropagated'=''
setting builder env variable 'doCheck'=''
setting builder env variable 'doInstallCheck'=''
setting builder env variable 'dontFixup'='1'
setting builder env variable 'impureEnvVars'='http_proxy https_proxy ftp_proxy all_proxy no_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY ALL_PROXY NO_PROXY NIX_SSL_CERT_FILE'
setting builder env variable 'installPhase'='runHook preInstall

find $out -type f \( \
  -name \*.lastUpdated \
  -o -name resolver-status.properties \
  -o -name _remote.repositories \) \
  -delete

runHook postInstall
'
setting builder env variable 'mesonFlags'=''
setting builder env variable 'name'='testproject-1.2.3-maven-deps'
setting builder env variable 'nativeBuildInputs'='/nix/store/g0sd7ss6avg19v1ridrfshs9dmh4y98n-maven-3.9.11 /nix/store/dizc1gwzfn1w888c0b4drcbb3bf0ylhw-nss-cacert-3.113.1'
setting builder env variable 'out'='/nix/store/w4ar6ygpd86chxfi60y23pfp2h63rd60-testproject-1.2.3-maven-deps'
setting builder env variable 'outputHash'='sha256-U67Yk6A+UxcHLpMHbJF+ybHWGNPyKMITuQ9xfzQ2Qmc='
setting builder env variable 'outputHashMode'='recursive'
setting builder env variable 'outputs'='out'
setting builder env variable 'patches'=''
setting builder env variable 'propagatedBuildInputs'=''
setting builder env variable 'propagatedNativeBuildInputs'=''
setting builder env variable 'src'='/nix/store/0a1zxjk5s9y48xwp3yhszsv7b3x2qdnv-source'
setting builder env variable 'stdenv'='/nix/store/7kikw5rk313fsd7qx4kh019d14wd491g-stdenv-linux'
setting builder env variable 'strictDeps'=''
setting builder env variable 'system'='aarch64-linux'
building '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv'...
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 81 bytes
Running phase: unpackPhase
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 76 bytes
unpacking source archive /nix/store/0a1zxjk5s9y48xwp3yhszsv7b3x2qdnv-source
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 22 bytes
source root is source
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 79 bytes
Running phase: patchPhase
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 131 bytes
Running phase: updateAutotoolsGnuConfigScriptsPhase
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 87 bytes
Running phase: configurePhase
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 35 bytes
no configure script, doing nothing
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 79 bytes
Running phase: buildPhase
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 505 bytes
Owner: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVRAIZ1
Issuer: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVRAIZ1
Serial number: 5ec3b7a6437fa4e0
Valid from: Thu May 05 09:37:37 UTC 2011 until: Tue Dec 31 09:37:37 UTC 2030
Certificate fingerprints:
         SHA1: 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
         SHA256: 9A:6E:C0:12:E1:A7:DA:9D:BE:34:19:4D:47:8A:D7:C0:DB:18:22:FB:07:1D:F1:29:81:49:6E:D1:04:38:41:13
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 15 bytes

Extensions: 

waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 274 bytes
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.accv.es
]
]

waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 224 bytes
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 87 B4 E3 DF 37 27 93   55 F6 56 EA 81 E5 36 CC  .....7'.U.V...6.
0010: 8C 1E 3F BD                                        ..?.
]
]

waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 270 bytes
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen: no limit
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl]
]]

waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 2355 bytes
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 82 01 14 1E 82 01 10   00 41 00 75 00 74 00 6F  0........A.u.t.o
0010: 00 72 00 69 00 64 00 61   00 64 00 20 00 64 00 65  .r.i.d.a.d. .d.e
0020: 00 20 00 43 00 65 00 72   00 74 00 69 00 66 00 69  . .C.e.r.t.i.f.i
0030: 00 63 00 61 00 63 00 69   00 F3 00 6E 00 20 00 52  .c.a.c.i...n. .R
0040: 00 61 00 ED 00 7A 00 20   00 64 00 65 00 20 00 6C  .a...z. .d.e. .l
0050: 00 61 00 20 00 41 00 43   00 43 00 56 00 20 00 28  .a. .A.C.C.V. .(
0060: 00 41 00 67 00 65 00 6E   00 63 00 69 00 61 00 20  .A.g.e.n.c.i.a. 
0070: 00 64 00 65 00 20 00 54   00 65 00 63 00 6E 00 6F  .d.e. .T.e.c.n.o
0080: 00 6C 00 6F 00 67 00 ED   00 61 00 20 00 79 00 20  .l.o.g...a. .y. 
0090: 00 43 00 65 00 72 00 74   00 69 00 66 00 69 00 63  .C.e.r.t.i.f.i.c
00A0: 00 61 00 63 00 69 00 F3   00 6E 00 20 00 45 00 6C  .a.c.i...n. .E.l
00B0: 00 65 00 63 00 74 00 72   00 F3 00 6E 00 69 00 63  .e.c.t.r...n.i.c
00C0: 00 61 00 2C 00 20 00 43   00 49 00 46 00 20 00 51  .a.,. .C.I.F. .Q
00D0: 00 34 00 36 00 30 00 31   00 31 00 35 00 36 00 45  .4.6.0.1.1.5.6.E
00E0: 00 29 00 2E 00 20 00 43   00 50 00 53 00 20 00 65  .)... .C.P.S. .e
00F0: 00 6E 00 20 00 68 00 74   00 74 00 70 00 3A 00 2F  .n. .h.t.t.p.:./
0100: 00 2F 00 77 00 77 00 77   00 2E 00 61 00 63 00 63  ./.w.w.w...a.c.c
0110: 00 76 00 2E 00 65 00 73                            .v...e.s

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 24 68 74 74 70 3A 2F   2F 77 77 77 2E 61 63 63  .$http://www.acc
0010: 76 2E 65 73 2F 6C 65 67   69 73 6C 61 63 69 6F 6E  v.es/legislacion
0020: 5F 63 2E 68 74 6D                                  _c.htm

]]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: accv@accv.es
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 87 B4 E3 DF 37 27 93   55 F6 56 EA 81 E5 36 CC  .....7'.U.V...6.
0010: 8C 1E 3F BD                                        ..?.
]
]


Warning:
The input uses the SHA1withRSA signature algorithm which is considered a security risk.

Trust this certificate? [no]:  Certificate was added to keystore
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 388 bytes
Apache Maven 3.9.11 (3e54c93a704957b63ee3494413a2b544fd3d825b)
Maven home: /nix/store/g0sd7ss6avg19v1ridrfshs9dmh4y98n-maven-3.9.11/maven
Java version: 21.0.8, vendor: N/A, runtime: /nix/store/m997585izg3jzfc85cjn5indxqcj1w9q-openjdk-21.0.8+9/lib/openjdk
Default locale: en_US, platform encoding: UTF-8
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 1 bytes
OS name: "linux", version: "6.10.14-linuxkit", arch: "aarch64", family: "unix"
waiting for children
building of '/nix/store/fxan5wf62lf9kyjbg0vlwpjwq6lh30bv-testproject-1.2.3-maven-deps.drv^out' from .drv file: read 4095 bytes
[DEBUG] Created new class realm maven.api
...

@philiptaron
Copy link
Contributor

philiptaron commented Aug 20, 2025

Please open an issue and CC @NixOS/Java.

@deftdawg deftdawg mentioned this pull request Aug 21, 2025
Closed
3 tasks
@flokli flokli mentioned this pull request Oct 7, 2025
Merged
13 tasks
@nixpkgs-ci
Copy link
Contributor

nixpkgs-ci bot commented Oct 7, 2025

Backport failed for release-25.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-25.05
git worktree add -d .worktree/backport-420608-to-release-25.05 origin/release-25.05
cd .worktree/backport-420608-to-release-25.05
git switch --create backport-420608-to-release-25.05
git cherry-pick -x f8b6b6f512bb579d11be6a9d92ea2565641c4b08 c6d583c3da526f49324d1b34bbad921a2438f9cd 554b465bac817aaacc16add43936efa9bec03068 cd931bff240f5dd9425ab5680bca4357f329820d

@flokli flokli mentioned this pull request Oct 7, 2025
Merged
13 tasks
github-merge-queue bot pushed a commit that referenced this pull request Oct 7, 2025
@flokli
[25.05] fetchedMavenDeps: support proxy and custom cacerts #420608 (#…
7a2cae0 
…449542)
@mdaniels5757 mdaniels5757 added 8.has: port to stable This PR already has a backport to the stable release. and removed backport release-25.05 labels Oct 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philiptaron philiptaron philiptaron approved these changes

@Atemu Atemu Atemu approved these changes

@chayleaf chayleaf Awaiting requested review from chayleaf

@GetPsyched GetPsyched Awaiting requested review from GetPsyched

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@emilazy emilazy Awaiting requested review from emilazy

@reckenrode reckenrode Awaiting requested review from reckenrode

@alyssais alyssais Awaiting requested review from alyssais

@Artturin Artturin Awaiting requested review from Artturin

@RossComputerGuy RossComputerGuy Awaiting requested review from RossComputerGuy

Assignees

No one assigned

Labels

6.topic: java Including JDK, tooling, other languages, other VMs 6.topic: lib The Nixpkgs function library 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@flokli @deftdawg @philiptaron @Atemu @mdaniels5757