diff --git a/perl/lib/Nix/Config.pm.in b/perl/lib/Nix/Config.pm.in index b0dc71fab..5f87756cb 100644 --- a/perl/lib/Nix/Config.pm.in +++ b/perl/lib/Nix/Config.pm.in @@ -12,6 +12,12 @@ $logDir = $ENV{"NIX_LOG_DIR"} || "@localstatedir@/log/nix"; $confDir = $ENV{"NIX_CONF_DIR"} || "@sysconfdir@/nix"; $storeDir = $ENV{"NIX_STORE_DIR"} || "@storedir@"; +$caBundle = $ENV{"NIX_SSL_CERT_FILE"} // $ENV{"SSL_CERT_FILE"} // $ENV{"CURL_CA_BUNDLE"} // $ENV{"OPENSSL_X509_CERT_FILE"}; +$caBundle = "/etc/ssl/certs/ca-bundle.crt" if !$caBundle && -f "/etc/ssl/certs/ca-bundle.crt"; +$caBundle = "/etc/ssl/certs/ca-certificates.crt" if !$caBundle && -f "/etc/ssl/certs/ca-certificates.crt"; + +$curlCaFlag = defined $caBundle ? "--capath $caBundle" : ""; + $bzip2 = "@bzip2@"; $xz = "@xz@"; $curl = "@curl@"; diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index fa2a2f60a..07ff7b95a 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -41,9 +41,6 @@ my $activeRequests = 0; my $curlIdCount = 1; my %requests; my %scheduled; -my $caBundle = $ENV{"NIX_SSL_CERT_FILE"} // $ENV{"SSL_CERT_FILE"} // $ENV{"CURL_CA_BUNDLE"} // $ENV{"OPENSSL_X509_CERT_FILE"}; -$caBundle = "/etc/ssl/certs/ca-bundle.crt" if !$caBundle && -f "/etc/ssl/certs/ca-bundle.crt"; -$caBundle = "/etc/ssl/certs/ca-certificates.crt" if !$caBundle && -f "/etc/ssl/certs/ca-certificates.crt"; my $userName = getpwuid($<) || $ENV{"USER"} or die "cannot figure out user name"; @@ -79,7 +76,7 @@ sub addRequest { open (my $fh, ">", \$requests{$curlId}->{content}); $curl->setopt(CURLOPT_WRITEDATA, $fh); $curl->setopt(CURLOPT_FOLLOWLOCATION, 1); - $curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle; + $curl->setopt(CURLOPT_CAINFO, $Nix::Config::caBundle) if defined $Nix::Config::caBundle; unless (isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1")) { $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0); @@ -566,7 +563,7 @@ sub downloadBinary { die if $requireSignedBinaryCaches && !defined $info->{signedBy}; print STDERR "\n*** Downloading ‘$url’ ", ($requireSignedBinaryCaches ? "(signed by ‘$info->{signedBy}’) " : ""), "to ‘$storePath’...\n"; checkURL $url; - if (system("$Nix::Config::curl --fail --location --connect-timeout $curlConnectTimeout -A '$userAgent' '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) { + if (system("$Nix::Config::curl --fail --location --connect-timeout $curlConnectTimeout -A '$userAgent' $Nix::Config::curlCaFlag '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) { warn "download of ‘$url’ failed" . ($! ? ": $!" : "") . "\n"; next; } diff --git a/scripts/download-using-manifests.pl.in b/scripts/download-using-manifests.pl.in index ffc49f8ff..88a464305 100755 --- a/scripts/download-using-manifests.pl.in +++ b/scripts/download-using-manifests.pl.in @@ -17,7 +17,7 @@ my $logFile = "$Nix::Config::logDir/downloads"; # estimating the expected download size. my $fast = 1; -my $curl = "$Nix::Config::curl --fail --location"; +my $curl = "$Nix::Config::curl $Nix::Config::curlCaFlag --fail --location"; # Open the manifest cache and update it if necessary. diff --git a/scripts/nix-channel.in b/scripts/nix-channel.in index 5191b5855..313e91722 100755 --- a/scripts/nix-channel.in +++ b/scripts/nix-channel.in @@ -104,7 +104,7 @@ sub update { # definition from a consistent location if the redirect changes mid-download. my $tmpdir = tempdir( CLEANUP => 1 ); my $filename; - ($url, $filename) = `cd $tmpdir && $Nix::Config::curl --silent --write-out '%{url_effective}\n%{filename_effective}' -L '$url' -O`; + ($url, $filename) = `cd $tmpdir && $Nix::Config::curl $Nix::Config::curlCaFlag --silent --write-out '%{url_effective}\n%{filename_effective}' -L '$url' -O`; chomp $url; die "$0: unable to check ‘$url’\n" if $? != 0; @@ -131,7 +131,7 @@ sub update { my $extraAttrs = ""; if ($ret != 0) { # Check if the channel advertises a binary cache. - my $binaryCacheURL = `$Nix::Config::curl --silent '$url'/binary-cache-url`; + my $binaryCacheURL = `$Nix::Config::curl $Nix::Config::curlCaFlag --silent '$url'/binary-cache-url`; my $getManifest = ($Nix::Config::config{"force-manifest"} // "false") eq "true"; if ($? == 0 && $binaryCacheURL ne "") { $extraAttrs .= "binaryCacheURL = \"$binaryCacheURL\"; "; @@ -151,7 +151,7 @@ sub update { # Download the channel tarball. my $fullURL = "$url/nixexprs.tar.xz"; - system("$Nix::Config::curl --fail --silent --head '$fullURL' > /dev/null") == 0 or + system("$Nix::Config::curl $Nix::Config::curlCaFlag --fail --silent --head '$fullURL' > /dev/null") == 0 or $fullURL = "$url/nixexprs.tar.bz2"; print STDERR "downloading Nix expressions from ‘$fullURL’...\n"; (my $hash, $path) = `PRINT_PATH=1 QUIET=1 $Nix::Config::binDir/nix-prefetch-url '$fullURL'`; diff --git a/scripts/nix-pull.in b/scripts/nix-pull.in index 995b50935..0d783b4a0 100755 --- a/scripts/nix-pull.in +++ b/scripts/nix-pull.in @@ -51,7 +51,7 @@ sub processURL { my $origUrl = $ENV{'NIX_ORIG_URL'} || $url; # First see if a bzipped manifest is available. - if (system("$Nix::Config::curl --fail --silent --location --head '$url'.bz2 > /dev/null") == 0) { + if (system("$Nix::Config::curl $Nix::Config::curlCaFlag --fail --silent --location --head '$url'.bz2 > /dev/null") == 0) { print "fetching list of Nix archives at ‘$url.bz2’...\n"; $manifest = downloadFile "$url.bz2"; }