07/204: gnu: p11-kit: Add nss-certs to default trust path.

Fri, 23 Jan 2026 15:13:24 -0800 

guix_mirror_bot pushed a commit to branch gnome-team
in repository guix.

commit 6a4136dfeac03c82f662338db531941287769db3
Author: Maxim Cournoyer <[email protected]>
AuthorDate: Tue Dec 24 14:11:13 2024 +0900

    gnu: p11-kit: Add nss-certs to default trust path.
    
    * gnu/packages/tls.scm (p11-kit): [native-inputs]: Add nss-certs.
    [arguments] <#:configure-flags>: Expose its certs via an 'anchors'
    subdirectory to the trust paths.
    
    Change-Id: Iee727edb1f51f8503fcbdd4ec1dee0d47a6bba39
---
 gnu/packages/tls.scm | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index ade1224f9e..5492bff348 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -63,6 +63,7 @@
   #:use-module (gnu packages bash)
   #:use-module (gnu packages build-tools)
   #:use-module (gnu packages check)
+  #:use-module (gnu packages certs)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages dns)
   #:use-module (gnu packages docbook)
@@ -159,7 +160,8 @@ in intelligent transportation networks.")
         (base32 "1rcq2578aq3ag288qnvdmj4a2wbihncndbr6iw0vxcfda1jail04"))))
     (build-system gnu-build-system)
     (native-inputs
-     (list pkg-config
+     (list nss-certs                    ;default certificates
+           pkg-config
            python-minimal))             ;to generate some headers
     (inputs
      (append (list libffi libtasn1)
@@ -172,9 +174,20 @@ in intelligent transportation networks.")
       #~(list (string-append
                "--with-trust-paths="
                (string-join
-                '("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, 
etc.
+                '("/etc/ssl/certs/ca-certificates.crt" ;debian, gentoo, etc.
                   "/etc/pki/tls/certs/ca-bundle.crt"   ;fedora, centos
-                  "/var/lib/ca-certificates/ca-bundle.pem") ;opensuse
+                  "/var/lib/ca-certificates/ca-bundle.pem"
+                  ;; It's not enough to point directly to the nss-certs'
+                  ;; etc/ssl/certs directory; we must ensure the .pem
+                  ;; certificates from a directory are found under the
+                  ;; anchors/ subdirectory to be trusted (see:
+                  ;; https://p11-glue.github.io/p11-glue/p11-kit/
+                  ;; manual/trust-module.html#trust-files).
+                  #$(file-union
+                     "nss-certs"
+                     `(("anchors"
+                        ,(file-append (this-package-native-input "nss-certs")
+                                      "/etc/ssl/certs")))))
                 ":")))))
     (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html";)
     (synopsis "PKCS#11 library")

Reply via email to