Skip to content

fetchurl: export SSL_CERT_FILE#470503

Closed
MattSturgeon wants to merge 1 commit intoNixOS:masterfrom
MattSturgeon:fix-fetchurl-fakeHash
Closed

fetchurl: export SSL_CERT_FILE#470503
MattSturgeon wants to merge 1 commit intoNixOS:masterfrom
MattSturgeon:fix-fetchurl-fakeHash

Conversation

@MattSturgeon
Copy link
Contributor

@MattSturgeon MattSturgeon commented Dec 13, 2025
edited
Loading

Since #464475 enabled structured attrs in fetchurl, empty-hash FODs have been failing with:

$ nix-build --expr '(import ./. {}).fetchurl { url = "https://example.com"; hash = ""; }'
this derivation will be built:
  /nix/store/ryngk5xndc9sdhpw1pk5g8bi7b7dix8a-example.com.drv
building '/nix/store/ryngk5xndc9sdhpw1pk5g8bi7b7dix8a-example.com.drv'...
structuredAttrs is enabled

trying https://example.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Warning: Problem (retrying all errors). Will retry in 1 second. 3 retries left.
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Warning: Problem (retrying all errors). Will retry in 2 seconds. 2 retries
Warning: left.
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Warning: Problem (retrying all errors). Will retry in 4 seconds. 1 retry left.
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
error checking the existence of https://tarballs.nixos.org//sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=:
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
error: cannot download example.com from any mirror
error: Cannot build '/nix/store/ryngk5xndc9sdhpw1pk5g8bi7b7dix8a-example.com.drv'.
       Reason: builder failed with exit code 1.
       Output paths:
         /nix/store/6jix8ihxjjw4l9l2lpjvjr4wv9psmp7j-example.com
       Last 25 log lines:
       > Warning: Problem (retrying all errors). Will retry in 2 seconds. 2 retries
       > Warning: left.
       >   0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
       > curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
       > More details here: https://curl.se/docs/sslcerts.html
       >
       > curl failed to verify the legitimacy of the server and therefore could not
       > establish a secure connection to it. To learn more about this situation and
       > how to fix it, please visit the webpage mentioned above.
       > Warning: Problem (retrying all errors). Will retry in 4 seconds. 1 retry left.
       >   0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
       > curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
       > More details here: https://curl.se/docs/sslcerts.html
       >
       > curl failed to verify the legitimacy of the server and therefore could not
       > establish a secure connection to it. To learn more about this situation and
       > how to fix it, please visit the webpage mentioned above.
       > error checking the existence of https://tarballs.nixos.org//sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=:
       > curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
       > More details here: https://curl.se/docs/sslcerts.html
       >
       > curl failed to verify the legitimacy of the server and therefore could not
       > establish a secure connection to it. To learn more about this situation and
       > how to fix it, please visit the webpage mentioned above.
       > error: cannot download example.com from any mirror
       For full logs, run:
         nix log /nix/store/ryngk5xndc9sdhpw1pk5g8bi7b7dix8a-example.com.drv

With __structuredAttrs, SSL_CERT_FILE gets defined in $NIX_ATTRS_SH_FILE as:

declare SSL_CERT_FILE='/nix/store/m65dckzfgr1lr90g5v6jx0iynnz38nsk-nss-cacert-3.115/etc/ssl/certs/ca-bundle.crt'

I suspect previously (without __structuredAttrs), derivation would export the variable instead of only declaring it?

This PR manually restores the exported variable.

Building the same empty-hash FOD with this PR:

$ nix-build --expr '(import ./. {}).fetchurl { url = "https://example.com"; hash = ""; }'
this derivation will be built:
  /nix/store/53h6qx0bkr1vwxc2b2l535xyxhl8vvsg-example.com.drv
building '/nix/store/53h6qx0bkr1vwxc2b2l535xyxhl8vvsg-example.com.drv'...
structuredAttrs is enabled

trying https://example.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   513 100   513   0     0  1708     0  --:--:-- --:--:-- --:--:--  1710
error: hash mismatch in fixed-output derivation '/nix/store/53h6qx0bkr1vwxc2b2l535xyxhl8vvsg-example.com.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-b1Y1A182rVALT8S7eBa7cu9VlOG8rkT6B0xemI/EwP4=

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@MattSturgeon
fetchurl: export SSL_CERT_FILE
d2e1157 
Fixes `fetchurl` when supplied an empty hash.
@MattSturgeon MattSturgeon mentioned this pull request Dec 13, 2025
Merged
13 tasks
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 6.topic: fetch Fetchers (e.g. fetchgit, fetchsvn, ...) labels Dec 13, 2025
@ShamrockLee ShamrockLee mentioned this pull request Dec 13, 2025
Merged
13 tasks
@MattSturgeon
Copy link
Contributor Author

MattSturgeon commented Dec 13, 2025

Superseded by #470504

@MattSturgeon MattSturgeon deleted the fix-fetchurl-fakeHash branch December 13, 2025 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShamrockLee ShamrockLee Awaiting requested review from ShamrockLee

@philiptaron philiptaron Awaiting requested review from philiptaron

@GaetanLepage GaetanLepage Awaiting requested review from GaetanLepage

@panicgh panicgh Awaiting requested review from panicgh

@chillcicada chillcicada Awaiting requested review from chillcicada

Assignees

No one assigned

Labels

6.topic: fetch Fetchers (e.g. fetchgit, fetchsvn, ...) 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MattSturgeon