guix_mirror_bot pushed a commit to branch gnome-team
in repository guix.
commit fdc4a6dc45bb7fff6710c40fb6d598ae5ad3836b
Author: Maxim Cournoyer <[email protected]>
AuthorDate: Mon Feb 10 21:54:34 2025 +0900
gnu: gnutls: Use p11-kit to provide the default certificates.
This makes it so that GnuTLS always knows to locate the nss-certs without
users having to do anything. This default behavior can be modified by users
via the p11-kit configuration mechanism, which can be be done per-user.
* gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
* gnu/packages/tls.scm (gnutls) [source]: Remove
'gnutls-skip-trust-store-test.patch' patch.
[#:configure-flags]: Delete "--with-default-trust-store-dir=/etc/ssl/certs".
Add "--with-default-trust-store-pkcs11=pkcs11:". Update comment.
Fixes: <https://issues.guix.gnu.org/75902>
Fixes: <https://issues.guix.gnu.org/46779>
Change-Id: Ie45bfe8c2884c1ab277b0fba6135a5af3a9b6a3d
---
gnu/local.mk | 1 -
.../patches/gnutls-skip-trust-store-test.patch | 15 ---------------
gnu/packages/tls.scm | 18 ++++++------------
3 files changed, 6 insertions(+), 28 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index c327090186..0724c0ca37 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1510,7 +1510,6 @@ dist_patch_DATA =
\
%D%/packages/patches/gnumach-version.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
- %D%/packages/patches/gnutls-skip-trust-store-test.patch \
%D%/packages/patches/gnutls-no-which.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path-1.72.patch \
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
deleted file mode 100644
index e0536712a5..0000000000
--- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Version 3.5.11 added a test to check that the default trust store is readable.
-It does not exist in the build environment, so pretend everything is fine.
-
-diff a/tests/trust-store.c b/tests/trust-store.c
---- a/tests/trust-store.c
-+++ b/tests/trust-store.c
-@@ -61,7 +61,7 @@
- } else if (ret < 0) {
- fail("error loading system trust store: %s\n",
gnutls_strerror(ret));
- } else if (ret == 0) {
-- fail("no certificates were found in system trust store!\n");
-+ success("no trust store in the Guix build environment!\n");
- }
-
- gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index d088331ee6..9ddb90601f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -217,8 +217,7 @@ living in the same process.")
(uri (string-append "mirror://gnupg/gnutls/v"
(version-major+minor version)
"/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-no-which.patch"
- "gnutls-skip-trust-store-test.patch"))
+ (patches (search-patches "gnutls-no-which.patch"))
(sha256
(base32
"1v9090cbajf02cw01idfbp0cgmgjn5091ff1b96hqryi0bc17qb9"))))
@@ -241,16 +240,11 @@ living in the same process.")
;; ld.so.cache file.
"--with-zlib=link"
"--with-zstd=link"
- ;; GnuTLS doesn't consult any environment variables to specify
- ;; the location of the system-wide trust store. Instead it has a
- ;; configure-time option. Unless specified, its configure script
- ;; attempts to auto-detect the location by looking for common
- ;; places in the file system, none of which are present in our
- ;; chroot build environment. If not found, then no default trust
- ;; store is used, so each program has to provide its own
- ;; fallback, and users have to configure each program
- ;; independently. This seems suboptimal.
- "--with-default-trust-store-dir=/etc/ssl/certs")
+ ;; Configure GnuTLS to use the p11-kit trust module by default,
+ ;; which is more flexible and knows to look at locations we've
+ ;; configured it to, on top of allowing users to configure it
+ ;; further.
+ "--with-default-trust-store-pkcs11=pkcs11:")
#:phases
#~(modify-phases %standard-phases
#$@(if (target-ppc32?)
