Not all fetches use system ssl certs #4173
Description
Describe the bug
Some fetchers (at least fetchgit) do not use extra certificates set in the nixos option security.pki.certificates or certificateFiles, or the system certs on any OS. This causes builds to fail when used with a TLS intercepting proxy.
The security implication here is that fetches could use out of date certs specified in an old nixpkgs revision.
see also NixOS/nixpkgs#89526 and NixOS/nixpkgs#101119
To Reproduce
Steps to reproduce the behavior:
-
be behind a TLS intercepting proxy
-
Set the nixos option
security.pki.certificatesto include the MITM certs and switch -
Observe that a user can use curl and git and successfully navigate through the proxy
-
Observe that builtins.fetchurl works
nix-build $(nix-instantiate --expr 'builtins.fetchurl{url="https://github.com"; sha256="1111111111111111111111111111111111111111111111111111111111111111";}') # Fails after fetching the file -
Observe that
fetchgitfailsnix-build $(nix-instantiate --expr 'with (import <nixpkgs>{}); fetchgit{url="https://github.com/nixos/nixpkgs";sha256="1111111111111111111111111111111111111111111111111111111111111111";rev="foo";}') warning: you did not specify '--add-root'; the result might be removed by the garbage collector these derivations will be built: /nix/store/iskxcb2sqzfqicgdx7dryrj5kiacm6ma-nixpkgs.drv building '/nix/store/iskxcb2sqzfqicgdx7dryrj5kiacm6ma-nixpkgs.drv'... exporting https://github.com/nixos/nixpkgs (rev foo) into /nix/store/wqfh9mzx0c2c47dz59yc2wrck49zslrm-nixpkgs Initialized empty Git repository in /nix/store/wqfh9mzx0c2c47dz59yc2wrck49zslrm-nixpkgs/.git/ fatal: unable to access 'https://github.com/nixos/nixpkgs/': SSL certificate problem: unable to get local issuer certificate fatal: unable to access 'https://github.com/nixos/nixpkgs/': SSL certificate problem: unable to get local issuer certificate fatal: unable to access 'https://github.com/nixos/nixpkgs/': SSL certificate problem: unable to get local issuer certificate Unable to checkout refs/tags/foo from https://github.com/nixos/nixpkgs. builder for '/nix/store/iskxcb2sqzfqicgdx7dryrj5kiacm6ma-nixpkgs.drv' failed with exit code 1 -
Modify the
cacertpackage to include the MITM certs inca-bundle.crt -
Observe that
fetchgitworksnix-build $(nix-instantiate --expr 'with (import <nixpkgs>{}); fetchgit{url="https://github.com/nixos/nixpkgs";sha256="1111111111111111111111111111111111111111111111111111111111111111";rev="foo";}') ~ warning: you did not specify '--add-root'; the result might be removed by the garbage collector these derivations will be built: /nix/store/bwfscaj59r1vjhrvx6myny762s3szkkc-nixpkgs.drv building '/nix/store/bwfscaj59r1vjhrvx6myny762s3szkkc-nixpkgs.drv'... exporting https://github.com/nixos/nixpkgs (rev foo) into /nix/store/wqfh9mzx0c2c47dz59yc2wrck49zslrm-nixpkgs Initialized empty Git repository in /nix/store/wqfh9mzx0c2c47dz59yc2wrck49zslrm-nixpkgs/.git/ fatal: couldn't find remote ref refs/tags/foo remote: Enumerating objects: 28, done. remote: Counting objects: 100% (28/28), done. remote: Compressing objects: 100% (28/28), done.
Expected behavior
The certs used for fetchers should be consistent. And if the MITM certs aren't used, then documentation should explain what a user must do to use them in fetchers.
Metadata
- system: `"x86_64-linux"`
- host os: `Linux 5.4.70, NixOS, 20.03.git.d3784204ba1 (Markhor)`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.3.6`
- channels(root): `"nixos-19.09.2152.790970f6b1c"`
- nixpkgs: `/home/j/src/nixpkgs`Cc @roberth