diff --git a/pkgs/build-support/fetchurl/builder.sh b/pkgs/build-support/fetchurl/builder.sh index 52d4155f46040..a82728ef1025c 100644 --- a/pkgs/build-support/fetchurl/builder.sh +++ b/pkgs/build-support/fetchurl/builder.sh @@ -19,8 +19,7 @@ curl=( --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion" ) -# Default fallback value defined in pkgs/build-support/fetchurl/default.nix -if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then +if ! [ -f "$SSL_CERT_FILE" ]; then curl+=(--insecure) fi diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index ccfc02d47c548..e4a70743334b5 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -220,26 +220,20 @@ stdenvNoCC.mkDerivation ( # New-style output content requirements. inherit (hash_) outputHashAlgo outputHash; + # Disable TLS verification only when we know the hash and no credentials are + # needed to access the resource SSL_CERT_FILE = - let - nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE"; - in - if nixSSLCertFile != "" then - nixSSLCertFile - else if + if ( hash_.outputHash == "" || hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeHash - # Make sure we always enforce TLS verification when credentials - # are needed to access the resource || netrcPhase != null ) then "${cacert}/etc/ssl/certs/ca-bundle.crt" else - # Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh "/no-cert-file.crt"; outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";