Tagging release 2.26.2

-----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCAAxFiEEtUHVUwEnDgvPFcpdgXC0cm1xmN4FAmetA5oTHGVkb2xzdHJh
 QGdtYWlsLmNvbQAKCRCBcLRybXGY3g2pB/9JAFyjmaXuccbMTO/6x9qwsWuuXNLk
 OQWzfbdUekvsihZZSFZg1r7KqqXHCi64f0nxLPsJ/0oeDWZktJ5KnbV630nuUlDj
 ulLCpKdvhWFa8dVx9LiziGwQw4KLx8PjOfwThtQ4DqCWxWEmu6lKkijag9cE+ai4
 3mw9YtUjBRxlXyhYLzWz3whLbv37c/m+R8iGS8xm8W260pmei6D0beOIPdfXYBQF
 PzPlPORyI08A06uqyA3z7bTxzmSMnzvu0QInCPCKSHzFUnTZPHUYuYStFl28NrZS
 fXKK59L0G7QEfdTRAmqQkdHdtPj2RlYFiMN0kQiNLflvKfGGWdi/kvdx
 =rRix
 -----END PGP SIGNATURE-----

Merge tag '2.26.2' into sync-2.26.2

Tagging release 2.26.2

tests/nixos/fetchurl.nix

@@ -5,16 +5,20 @@
 
 let
 
-  makeTlsCert = name: pkgs.runCommand name {
-    nativeBuildInputs = with pkgs; [ openssl ];
-  } ''
-    mkdir -p $out
-    openssl req -x509 \
-      -subj '/CN=${name}/' -days 49710 \
-      -addext 'subjectAltName = DNS:${name}' \
-      -keyout "$out/key.pem" -newkey ed25519 \
-      -out "$out/cert.pem" -noenc
-  '';
+  makeTlsCert =
+    name:
+    pkgs.runCommand name
+      {
+        nativeBuildInputs = with pkgs; [ openssl ];
+      }
+      ''
+        mkdir -p $out
+        openssl req -x509 \
+          -subj '/CN=${name}/' -days 49710 \
+          -addext 'subjectAltName = DNS:${name}' \
+          -keyout "$out/key.pem" -newkey ed25519 \
+          -out "$out/cert.pem" -noenc
+      '';
 
   goodCert = makeTlsCert "good";
   badCert = makeTlsCert "bad";
@@ -22,42 +26,45 @@ let
 in
 
 {
-  name = "nss-preload";
+  name = "fetchurl";
 
   nodes = {
-    machine = { pkgs, ... }: {
-      services.nginx = {
-        enable = true;
+    machine =
+      { pkgs, ... }:
+      {
+        services.nginx = {
+          enable = true;
 
-        virtualHosts."good" = {
-          addSSL = true;
-          sslCertificate = "${goodCert}/cert.pem";
-          sslCertificateKey = "${goodCert}/key.pem";
-          root = pkgs.runCommand "nginx-root" {} ''
-            mkdir "$out"
-            echo 'hello world' > "$out/index.html"
-          '';
+          virtualHosts."good" = {
+            addSSL = true;
+            sslCertificate = "${goodCert}/cert.pem";
+            sslCertificateKey = "${goodCert}/key.pem";
+            root = pkgs.runCommand "nginx-root" { } ''
+              mkdir "$out"
+              echo 'hello world' > "$out/index.html"
+            '';
+          };
+
+          virtualHosts."bad" = {
+            addSSL = true;
+            sslCertificate = "${badCert}/cert.pem";
+            sslCertificateKey = "${badCert}/key.pem";
+            root = pkgs.runCommand "nginx-root" { } ''
+              mkdir "$out"
+              echo 'foobar' > "$out/index.html"
+            '';
+          };
         };
 
-        virtualHosts."bad" = {
-          addSSL = true;
-          sslCertificate = "${badCert}/cert.pem";
-          sslCertificateKey = "${badCert}/key.pem";
-          root = pkgs.runCommand "nginx-root" {} ''
-            mkdir "$out"
-            echo 'foobar' > "$out/index.html"
-          '';
-        };
+        security.pki.certificateFiles = [ "${goodCert}/cert.pem" ];
+
+        networking.hosts."127.0.0.1" = [
+          "good"
+          "bad"
+        ];
+
+        virtualisation.writableStore = true;
       };
-
-      security.pki.certificateFiles = [ "${goodCert}/cert.pem" ];
-
-      networking.hosts."127.0.0.1" = [ "good" "bad" ];
-
-      virtualisation.writableStore = true;
-
-      nix.settings.experimental-features = "nix-command";
-    };
   };
 
   testScript = ''
@@ -76,7 +83,7 @@ in
     # Fetching from a server with an untrusted cert should fail.
     err = machine.fail("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1")
     print(err)
-    assert "SSL certificate problem: self-signed certificate" in err
+    assert "SSL peer certificate or SSH remote key was not OK" in err
 
     # Fetching from a server with a trusted cert should work via environment variable override.
     machine.succeed("NIX_SSL_CERT_FILE=/tmp/cafile.pem nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }'")