From 24e1dc4d7494623c7006bf83434814a279230655 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Thu, 11 May 2023 13:09:02 +0200
Subject: [PATCH] Call getDefaultSSLCertFile() only when none is specified

This does pathExists on various paths, which crashes on EPERM in the
macOS sandbox.

(cherry picked from commit b7cde90c6b479562eb9f1d9df399d04cf9c42aad)
---
 src/libstore/globals.cc | 2 ++
 src/libstore/globals.hh | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 823b4af74..9b19e6611 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -47,6 +47,8 @@ Settings::Settings()
     auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
     if (sslOverride != "")
         caFile = sslOverride;
+    else if (caFile == "")
+        caFile = getDefaultSSLCertFile();
 
     /* Backwards compatibility. */
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 63c7389da..20ed3f6b6 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -858,7 +858,7 @@ public:
         )"};
 
     Setting<Path> caFile{
-        this, getDefaultSSLCertFile(), "ssl-cert-file",
+        this, "", "ssl-cert-file",
         R"(
           The path of a file containing CA certificates used to
           authenticate `https://` downloads. Nix by default will use