Merge pull request #11610 from Mic92/ssl-fix

fix passing CA files into builtins:fetchurl sandbox
2025-11-15 23:12:44 +01:00 · 2024-10-07 14:41:32 +02:00 · 2024-10-07 14:41:32 +02:00 · 4dc7946acd
commit 4dc7946acd
parent 0dc8419c11 410853ddcf
4 changed files with 30 additions and 12 deletions
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@ -1743,13 +1743,20 @@ void LocalDerivationGoal::runChild()

        bool setUser = true;

-        /* Make the contents of netrc available to builtin:fetchurl
-           (which may run under a different uid and/or in a sandbox). */
+        /* Make the contents of netrc and the CA certificate bundle
+           available to builtin:fetchurl (which may run under a
+           different uid and/or in a sandbox). */
        std::string netrcData;
-        try {
-            if (drv->isBuiltin() && drv->builder == "builtin:fetchurl")
-                netrcData = readFile(settings.netrcFile);
-        } catch (SystemError &) { }
+        std::string caFileData;
+        if (drv->isBuiltin() && drv->builder == "builtin:fetchurl") {
+           try {
+               netrcData = readFile(settings.netrcFile);
+           } catch (SystemError &) { }
+
+           try {
+               caFileData = readFile(settings.caFile);
+           } catch (SystemError &) { }
+        }

 #if __linux__
        if (useChroot) {
@ -2188,7 +2195,7 @@ void LocalDerivationGoal::runChild()
                        worker.store.printStorePath(scratchOutputs.at(e.first)));

                if (drv->builder == "builtin:fetchurl")
-                    builtinFetchurl(*drv, outputs, netrcData);
+                    builtinFetchurl(*drv, outputs, netrcData, caFileData);
                else if (drv->builder == "builtin:buildenv")
                    builtinBuildenv(*drv, outputs);
                else if (drv->builder == "builtin:unpack-channel")