So this and temporarily resurrect the current nss "version" just for cacert? (which doesn't retain any reference anyway) EDIT: in order to keep the rebuilds down, revert that part on staging.

Oh scratch my last comment! I forgot that cacert only uses nss.src directly, so this PR won't rebuild that.

Oh scratch my last comment! I forgot that cacert only uses nss.src directly, so this PR won't rebuild that.

Today I learned. That's cool, then we can probably just go with this.

Could use some more testers from #93955, maybe.

Slack works, Discord also works. It seems it fixes the issue #93955. thank you very much @ajs124 @vcunat.

I tried firefox, though it shouldn't be a surprise that it appears to still work OK.

It's quite unfortunate that the missing component of NSS wasn't detected during build time (by the packages needing that). Let's have a look at diff in files for NSS after this commit (3.54) and before the build-system change (3.52.1):

@@ -5,16 +5,12 @@
 result/lib:
 libfreebl3.chk
 libfreebl3.so
-libfreeblpriv3.chk
 libfreeblpriv3.so
-libgtest1.so
-libgtestutil.so
 libnss3.so
 libnssckbi.so
 libnssckbi-testlib.so
 libnssdbm3.chk
 libnssdbm3.so
-libnsspem.so
 libnsssysinit.so
 libnssutil3.so
 libpkcs11testmodule.so
@@ -69,6 +65,7 @@
 keythi.h
 lowkeyi.h
 lowkeyti.h
+mozpkix
 nssb64.h
 nssb64t.h
 nssbase.h
@@ -88,7 +85,6 @@
 nssilock.h
 nsslocks.h
 nsslowhash.h
-nsspem.h
 nssrwlk.h
 nssrwlkt.h
 nssutil.h
@@ -145,8 +141,24 @@
 utilparst.h
 utilrename.h
 
+result-dev/include/nss/mozpkix:
+Input.h
+nss_scoped_ptrs.h
+pkixcheck.h
+pkixder.h
+pkix.h
+pkixnss.h
+pkixtypes.h
+pkixutil.h
+Result.h
+test
+Time.h
+
+result-dev/include/nss/mozpkix/test:
+pkixtestnss.h
+pkixtestutil.h
+
 result-dev/lib:
-libcrmf.a
 pkgconfig
 
 result-dev/lib/pkgconfig:
@@ -162,6 +174,7 @@
 addbuiltin
 atob
 baddbdir
+blake2b_gtest
 bltest
 btoa
 certdb_gtest
@@ -181,15 +194,19 @@
 ecperf
 encodeinttest
 fbectest
-fipstest
+freebl_gtest
 httpserv
+hw-support
 listsuites
 lowhashtest
 makepqg
 mangle
 modutil
+mozpkix_gtest
+mpi_tests
 multinit
 nonspr10
+nss
 nss_bogo_shim
 nss-policy-check
 ocspclnt
@@ -208,6 +225,7 @@
 pk1sign
 pkix-errcodes
 pp
+prng_gtest
 pwdecrypt
 remtest
 rsaperf
@@ -218,7 +236,6 @@
 shlibsign
 signtool
 signver
-smime
 smime_gtest
 softoken_gtest
 ssl_gtest

Suspects: libnsspem and smime.

EDIT: I retried the diff on the same version (3.52.1) only changing the build system, but that seemed uninteresting – only brought one additional difference (missing pkix-errcodes tool).

OK, I hope it will be fine. And this PR certainly seems to be a significant improvement anyway.

* libnsspem seems typically [packaged separately](https://repology.org/project/nss-pem/versions)

* the smime tool doesn't seem even packaged for Debian/Ubuntu

Sorry for overlooking this when doing the makefile -> gyp switch.

The PEM story is this whole weird thing where we ship this ancient patch introduced in #112
Other distros use this. I'm still not entirely clear on how to test any of this, as I'm sure I've stated before.

Yep, this PR fixes my problem with openconnect-sso as well, which relies on qtwebengine. A big thank you to @ajs124, @vcunat, and everyone in the other related issues that jumped on this problem so quickly!