diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix index e92080542defb..61c9fcded8c6b 100644 --- a/pkgs/by-name/ca/cacert/package.nix +++ b/pkgs/by-name/ca/cacert/package.nix @@ -2,15 +2,12 @@ lib, stdenv, writeText, - fetchFromGitHub, + fetchurl, buildcatrust, blacklist ? [ ], extraCertificateFiles ? [ ], extraCertificateStrings ? [ ], - # Used by update.sh - nssOverride ? null, - # Used for tests only runCommand, cacert, @@ -23,10 +20,9 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - srcVersion = "3.117"; - version = if nssOverride != null then nssOverride.version else srcVersion; + version = "3.121"; meta = { - homepage = "https://curl.haxx.se/docs/caextract.html"; + homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers"; description = "Bundle of X.509 certificates of public Certificate Authorities (CA)"; platforms = lib.platforms.all; maintainers = with lib.maintainers; [ @@ -35,40 +31,31 @@ let ]; license = lib.licenses.mpl20; }; - certdata = stdenv.mkDerivation { - pname = "nss-cacert-certdata"; - inherit version; - - src = - if nssOverride != null then - nssOverride.src - else - fetchFromGitHub { - owner = "nss-dev"; - repo = "nss"; - rev = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM"; - hash = "sha256-sAs0TiV3TK/WtgHvEjl2KFAgebyWZYmcRcmxjpn2AME="; - }; - - dontBuild = true; - - installPhase = '' - runHook preInstall - - mkdir $out - cp lib/ckfw/builtins/certdata.txt $out - - runHook postInstall - ''; - - inherit meta; - }; in stdenv.mkDerivation { pname = "nss-cacert"; inherit version; - src = certdata; + src = fetchurl { + urls = + let + # This file is effectively a public interface, see the homepage link + file = "lib/ckfw/builtins/certdata.txt"; + tag = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM"; + in + [ + # Prefer mercurial as the canonical source, while github is just a mirror + "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}" + "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}" + ]; + hash = "sha256-O5jU4/9XoybZWHwzYzA5yMOpzwtV98pYHXWY/zKesfM="; + }; + + unpackPhase = '' + runHook preUnpack + cp "$src" "$(stripHash "$src")" + runHook postUnpack + ''; outputs = [ "out" diff --git a/pkgs/by-name/ca/cacert/update.sh b/pkgs/by-name/ca/cacert/update.sh index d578102ad56bd..ca7c2969bda70 100755 --- a/pkgs/by-name/ca/cacert/update.sh +++ b/pkgs/by-name/ca/cacert/update.sh @@ -25,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.." CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) -PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out") +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs { src = nss_latest.src + \"/lib/ckfw/builtins/certdata.txt\"; }).out") # Check the hash of the etc subfolder # We can't check the entire output as that contains the nix-support folder @@ -35,5 +35,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .) - update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION" + update-source-version cacert "$NSS_VERSION" fi