Merge "libstore/build: copy ca-certificates too" into main
This commit is contained in:
commit
ff08d95420
2 changed files with 11 additions and 2 deletions
|
@ -1847,8 +1847,12 @@ void LocalDerivationGoal::runChild()
|
||||||
copyFile(path, chrootRootDir + path, { .followSymlinks = true });
|
copyFile(path, chrootRootDir + path, { .followSymlinks = true });
|
||||||
}
|
}
|
||||||
|
|
||||||
if (settings.caFile != "")
|
if (settings.caFile != "" && pathExists(settings.caFile)) {
|
||||||
pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);
|
// For the same reasons as above, copy the CA certificates file too.
|
||||||
|
// It should be even less likely to change during the build than resolv.conf.
|
||||||
|
createDirs(chrootRootDir + "/etc/ssl/certs");
|
||||||
|
copyFile(settings.caFile, chrootRootDir + "/etc/ssl/certs/ca-certificates.crt", { .followSymlinks = true });
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (auto & i : ss) pathsInChroot.emplace(i, i);
|
for (auto & i : ss) pathsInChroot.emplace(i, i);
|
||||||
|
|
|
@ -60,7 +60,9 @@ testCert () {
|
||||||
|
|
||||||
nocert=$TEST_ROOT/no-cert-file.pem
|
nocert=$TEST_ROOT/no-cert-file.pem
|
||||||
cert=$TEST_ROOT/some-cert-file.pem
|
cert=$TEST_ROOT/some-cert-file.pem
|
||||||
|
certsymlink=$TEST_ROOT/cert-symlink.pem
|
||||||
echo -n "CERT_CONTENT" > $cert
|
echo -n "CERT_CONTENT" > $cert
|
||||||
|
ln -s $cert $certsymlink
|
||||||
|
|
||||||
# No cert in sandbox when not a fixed-output derivation
|
# No cert in sandbox when not a fixed-output derivation
|
||||||
testCert missing normal "$cert"
|
testCert missing normal "$cert"
|
||||||
|
@ -74,5 +76,8 @@ testCert missing fixed-output "$nocert"
|
||||||
# Cert in sandbox when ssl-cert-file is set to an existing file
|
# Cert in sandbox when ssl-cert-file is set to an existing file
|
||||||
testCert present fixed-output "$cert"
|
testCert present fixed-output "$cert"
|
||||||
|
|
||||||
|
# Cert in sandbox when ssl-cert-file is set to a symlink
|
||||||
|
testCert present fixed-output "$certsymlink"
|
||||||
|
|
||||||
# Symlinks should be added in the sandbox directly and not followed
|
# Symlinks should be added in the sandbox directly and not followed
|
||||||
nix-sandbox-build symlink-derivation.nix
|
nix-sandbox-build symlink-derivation.nix
|
||||||
|
|
Loading…
Reference in a new issue