nixpkgs/pkgs/development/libraries/nss/default.nix

{ lib, stdenv, fetchurl, nspr, perl, zlib
, sqlite, ninja
, darwin, fixDarwinDylibNames, buildPackages
, useP11kit ? true, p11-kit
, # allow FIPS mode. Note that this makes the output non-reproducible.
  # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6
  enableFIPS ? false
}:

let
  nssPEM = fetchurl {
    url = "http://dev.gentoo.org/~polynomial-c/mozilla/nss-3.15.4-pem-support-20140109.patch.xz";
    sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw";
  };

  # NOTE: Whenever you updated this version check if the `cacert` package also
  #       needs an update. You can run the regular updater script for cacerts.
  #       It will rebuild itself using the version of this package (NSS) and if
  #       an update is required do the required changes to the expression.
  #       Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
  version = "3.64";
  underscoreVersion = builtins.replaceStrings ["."] ["_"] version;

in stdenv.mkDerivation rec {
  pname = "nss";
  inherit version;

  src = fetchurl {
    url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz";
    sha256 = "09hivz4qf3dw7m21lshw34l0yncinwn4ax5w3rpkm71f2wkm85yk";
  };

  depsBuildBuild = [ buildPackages.stdenv.cc ];

  nativeBuildInputs = [ perl ninja (buildPackages.python3.withPackages (ps: with ps; [ gyp ])) ]
    ++ lib.optionals stdenv.hostPlatform.isDarwin [ darwin.cctools fixDarwinDylibNames ];

  buildInputs = [ zlib sqlite ];

  propagatedBuildInputs = [ nspr ];

  prePatch = ''
    # strip the trailing whitespace from the patch line and the renamed CKO_NETSCAPE_ enum to CKO_NSS_
    xz -d < ${nssPEM} | sed \
       -e 's/-DIRS = builtins $/-DIRS = . builtins/g' \
       -e 's/CKO_NETSCAPE_/CKO_NSS_/g' \
       -e 's/CKT_NETSCAPE_/CKT_NSS_/g' \
       | patch -p1

    patchShebangs nss

    for f in nss/coreconf/config.gypi nss/build.sh nss/coreconf/config.gypi; do
      substituteInPlace "$f" --replace "/usr/bin/env" "${buildPackages.coreutils}/bin/env"
    done

    substituteInPlace nss/coreconf/config.gypi --replace "/usr/bin/grep" "${buildPackages.coreutils}/bin/env grep"
  '';

  patches =
    [
      # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
      ./85_security_load.patch
      ./ckpem.patch
      ./fix-cross-compilation.patch
    ];

  patchFlags = [ "-p0" ];

  postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''
     substituteInPlace nss/coreconf/Darwin.mk --replace '@executable_path/$(notdir $@)' "$out/lib/\$(notdir \$@)"
     substituteInPlace nss/coreconf/config.gypi --replace "'DYLIB_INSTALL_NAME_BASE': '@executable_path'" "'DYLIB_INSTALL_NAME_BASE': '$out/lib'"
   '';

  outputs = [ "out" "dev" "tools" ];

  preConfigure = "cd nss";

  buildPhase = let
    getArch = platform: if platform.isx86_64 then "x64"
          else if platform.isx86_32 then "ia32"
          else if platform.isAarch32 then "arm"
          else if platform.isAarch64 then "arm64"
          else if platform.isPower && platform.is64bit then (
            if platform.isLittleEndian then "ppc64le" else "ppc64"
          )
          else platform.parsed.cpu.name;
    # yes, this is correct. nixpkgs uses "host" for the platform the binary will run on whereas nss uses "host" for the platform that the build is running on
    target = getArch stdenv.hostPlatform;
    host = getArch stdenv.buildPlatform;
  in ''
    runHook preBuild

    sed -i 's|nss_dist_dir="$dist_dir"|nss_dist_dir="'$out'"|;s|nss_dist_obj_dir="$obj_dir"|nss_dist_obj_dir="'$out'"|' build.sh
    ./build.sh -v --opt \
      --with-nspr=${nspr.dev}/include:${nspr.out}/lib \
      --system-sqlite \
      --enable-legacy-db \
      --target ${target} \
      -Dhost_arch=${host} \
      -Duse_system_zlib=1 \
      --enable-libpkix \
      ${lib.optionalString enableFIPS "--enable-fips"} \
      ${lib.optionalString stdenv.isDarwin "--clang"} \
      ${lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) "--disable-tests"}

    runHook postBuild
  '';

  NIX_CFLAGS_COMPILE = "-Wno-error -DNIX_NSS_LIBDIR=\"${placeholder "out"}/lib/\"";

  installPhase = ''
    runHook preInstall

    rm -rf $out/private
    find $out -name "*.TOC" -delete
    mv $out/public $out/include

    ln -s lib $out/lib64

    # Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672
    # https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch?id=af1acce6c6d2c3adb17689261dfe2c2b6771ab8a
    NSS_MAJOR_VERSION=`grep "NSS_VMAJOR" lib/nss/nss.h | awk '{print $3}'`
    NSS_MINOR_VERSION=`grep "NSS_VMINOR" lib/nss/nss.h | awk '{print $3}'`
    NSS_PATCH_VERSION=`grep "NSS_VPATCH" lib/nss/nss.h | awk '{print $3}'`
    PREFIX="$out"

    mkdir -p $out/lib/pkgconfig
    sed -e "s,%prefix%,$PREFIX," \
        -e "s,%exec_prefix%,$PREFIX," \
        -e "s,%libdir%,$PREFIX/lib64," \
        -e "s,%includedir%,$dev/include/nss," \
        -e "s,%NSS_VERSION%,$NSS_MAJOR_VERSION.$NSS_MINOR_VERSION.$NSS_PATCH_VERSION,g" \
        -e "s,%NSPR_VERSION%,4.16,g" \
        pkg/pkg-config/nss.pc.in > $out/lib/pkgconfig/nss.pc
    chmod 0644 $out/lib/pkgconfig/nss.pc

    sed -e "s,@prefix@,$PREFIX," \
        -e "s,@MOD_MAJOR_VERSION@,$NSS_MAJOR_VERSION," \
        -e "s,@MOD_MINOR_VERSION@,$NSS_MINOR_VERSION," \
        -e "s,@MOD_PATCH_VERSION@,$NSS_PATCH_VERSION," \
        pkg/pkg-config/nss-config.in > $out/bin/nss-config
    chmod 0755 $out/bin/nss-config
  '';

  postInstall = lib.optionalString useP11kit ''
    # Replace built-in trust with p11-kit connection
    ln -sf ${p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so
  '';

  postFixup = let
    isCross = stdenv.hostPlatform != stdenv.buildPlatform;
    nss = if isCross then buildPackages.nss.tools else "$out";
  in
  (lib.optionalString enableFIPS (''
    for libname in freebl3 nssdbm3 softokn3
    do '' +
    (if stdenv.isDarwin
     then ''
       libfile="$out/lib/lib$libname.dylib"
       DYLD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \
     '' else ''
       libfile="$out/lib/lib$libname.so"
       LD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \
     '') + ''
        ${nss}/bin/shlibsign -v -i "$libfile"
    done
  '')) +
  ''
    moveToOutput bin "$tools"
    moveToOutput bin/nss-config "$dev"
    moveToOutput lib/libcrmf.a "$dev" # needed by firefox, for example
    rm -f "$out"/lib/*.a

    runHook postInstall
  '';

  meta = with lib; {
    homepage = "https://developer.mozilla.org/en-US/docs/NSS";
    description = "A set of libraries for development of security-enabled client and server applications";
    license = licenses.mpl20;
    platforms = platforms.all;
  };
}
nss: add option to use p11-kit This commit adds an option to replace libnssckbi with the p11-kit-trust[1] module. It makes all NSS application (like Firefox, Chromium, etc.) use the system trust store (/etc/ssl/certs/ in NixOS) and other PKCS#11 modules without ad-hoc configuration. This approach was first implemented in Fedora[2] and other distributions like Arch Linux, later. [1]: https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-nss.html [2]: https://fedoraproject.org/wiki/Features/SharedSystemCertificates 2020-08-31 10:07:34 +01:00			`{ lib, stdenv, fetchurl, nspr, perl, zlib`
			`, sqlite, ninja`
			`, darwin, fixDarwinDylibNames, buildPackages`
			`, useP11kit ? true, p11-kit`
nss: make reproducible (#102156) According to https://hg.mozilla.org/projects/nss/file/c1fad130dce2081a5d6ce9f539c72d999f59afce/build.sh#l129 the FIPS mode is not enabled by default. Yet we generate the .chk files that are only meant to be used for that mode. I have a sense that those have been cargo-culted around. Adding FIPS is still possible but you have to explictily build the lib with `pkgs.nss.override { enableFIPS = true; }` More info on what FIPS is: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 Other distros wrangling with the same issue: https://bugzilla.opensuse.org/show_bug.cgi?id=1081723 2020-10-31 20:17:26 +00:00			`, # allow FIPS mode. Note that this makes the output non-reproducible.`
			`# https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6`
			`enableFIPS ? false`
			`}:`
Added Mozilla NSS, NSPR and Gaim to Nix. Gaim in Nix supports SSL svn path=/nixpkgs/trunk/; revision=3676 2005-08-24 10:54:42 +01:00
* Xulrunner/Firefox 3.5: build with --with-system-nss. svn path=/nixpkgs/trunk/; revision=16186 2009-07-06 12:42:21 +01:00			`let`
nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00			`nssPEM = fetchurl {`
treewide: Per RFC45, remove all unquoted URLs 2020-04-01 02:11:51 +01:00			`url = "http://dev.gentoo.org/~polynomial-c/mozilla/nss-3.15.4-pem-support-20140109.patch.xz";`
nss: update to 3.15.4 2014-02-06 20:15:43 +00:00			`sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw";`
nss: Add nss-pem module from fedora. This is a compatibility module which adds suport for PEM certificates used by OpenSSL and compatible libraries. The module gets built but isn't used at the moment, so we're going to work on integration of it later. 2012-08-21 05:10:33 +01:00			`};`
cacert: decouple from NSS to reduce rebuild amount In [#100765] @vcunat pointed out that we could decouple cacert from the NSS package to make it more rebuild friendly. Just rebuilding packages that depend on NSS seems to be about ~100. Rebuilding all the packages that depend on cacert is >9k as of this writing. This makes it much more feasible to upgrade high-profile packages that are (rightfully) pedantic on their NSS version like firefox and thunderbird. [#100765]: https://github.com/NixOS/nixpkgs/pull/100765 2020-11-18 14:51:51 +00:00
			# NOTE: Whenever you updated this version check if the `cacert` package also
			`# needs an update. You can run the regular updater script for cacerts.`
			`# It will rebuild itself using the version of this package (NSS) and if`
			`# an update is required do the required changes to the expression.`
			`# Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert`
nss: 3.63 -> 3.64 2021-04-16 14:49:23 +01:00			`version = "3.64";`
nss: generate url from version (doesn't change derivation hash) Makes future upgrades easier... 2018-12-02 04:25:55 +00:00			`underscoreVersion = builtins.replaceStrings ["."] ["_"] version;`
nss: Add nss-pem module from fedora. This is a compatibility module which adds suport for PEM certificates used by OpenSSL and compatible libraries. The module gets built but isn't used at the moment, so we're going to work on integration of it later. 2012-08-21 05:10:33 +01:00
nss: Fix referencePath to security modules. This adds a patch from Debian, as they're already have security modules from NSS in it's own library directory rather than /usr/lib{,64}/ and patch in loading of libsoftokn as well. The patch and our own fix of the patch (well, they hardcode Debian specific stuff in there) ensures that SECMOD_AddNewModule() will find the right module from the derivation's output path, so the built-in CA root certificates are recognized and verified correctly. 2012-08-22 01:46:48 +01:00			`in stdenv.mkDerivation rec {`
treewide: name -> pname (easy cases) (#66585) treewide replacement of stdenv.mkDerivation rec { name = "-${version}"; version = ""; to pname 2019-08-15 13:41:18 +01:00			`pname = "nss";`
nss: generate url from version (doesn't change derivation hash) Makes future upgrades easier... 2018-12-02 04:25:55 +00:00			`inherit version;`
nss: Update to 3.14 2012-10-31 13:04:58 +00:00
			`src = fetchurl {`
treewide: name -> pname (easy cases) (#66585) treewide replacement of stdenv.mkDerivation rec { name = "-${version}"; version = ""; to pname 2019-08-15 13:41:18 +01:00			`url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz";`
nss: 3.63 -> 3.64 2021-04-16 14:49:23 +01:00			`sha256 = "09hivz4qf3dw7m21lshw34l0yncinwn4ax5w3rpkm71f2wkm85yk";`
Added Mozilla NSS, NSPR and Gaim to Nix. Gaim in Nix supports SSL svn path=/nixpkgs/trunk/; revision=3676 2005-08-24 10:54:42 +01:00			`};`

nss: cross compile support 2019-03-20 20:05:45 +00:00			`depsBuildBuild = [ buildPackages.stdenv.cc ];`

nss: try to fix darwin build 2020-07-20 16:02:44 +01:00			`nativeBuildInputs = [ perl ninja (buildPackages.python3.withPackages (ps: with ps; [ gyp ])) ]`
pkgs/development/libraries: stdenv.lib -> lib 2021-01-21 17:00:13 +00:00			`++ lib.optionals stdenv.hostPlatform.isDarwin [ darwin.cctools fixDarwinDylibNames ];`
nss: cross compile support 2019-03-20 20:05:45 +00:00
Re-Revert "Merge #101508: libraw: 0.20.0 -> 0.20.2" This reverts commit c778945806b44d46ec16bc4302e7e7163e6bab97. I believe this is exactly what brings the staging branch into the right shape after the last merge from master (through staging-next); otherwise part of staging changes would be lost (due to being already reachable from master but reverted). 2020-10-26 07:17:14 +00:00			`buildInputs = [ zlib sqlite ];`
nss: propagate nspr 2017-03-22 18:47:51 +00:00
			`propagatedBuildInputs = [ nspr ];`
* Updated NSS. svn path=/nixpkgs/trunk/; revision=16183 2009-07-06 10:12:44 +01:00
nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00			`prePatch = ''`
niss: 3.51 -> 3.52 2020-05-04 00:39:35 +01:00			`# strip the trailing whitespace from the patch line and the renamed CKO_NETSCAPE_ enum to CKO_NSS_`
			`xz -d < ${nssPEM} \| sed \`
nss: 3.52.1 -> 3.54 2020-06-29 02:09:27 +01:00			`-e 's/-DIRS = builtins $/-DIRS = . builtins/g' \`
niss: 3.51 -> 3.52 2020-05-04 00:39:35 +01:00			`-e 's/CKO_NETSCAPE_/CKO_NSS_/g' \`
			`-e 's/CKT_NETSCAPE_/CKT_NSS_/g' \`
			`\| patch -p1`
nss: 3.52.1 -> 3.54 2020-06-29 02:09:27 +01:00
			`patchShebangs nss`

			`for f in nss/coreconf/config.gypi nss/build.sh nss/coreconf/config.gypi; do`
			`substituteInPlace "$f" --replace "/usr/bin/env" "${buildPackages.coreutils}/bin/env"`
			`done`

			`substituteInPlace nss/coreconf/config.gypi --replace "/usr/bin/grep" "${buildPackages.coreutils}/bin/env grep"`
nss: Add nss-pem module from fedora. This is a compatibility module which adds suport for PEM certificates used by OpenSSL and compatible libraries. The module gets built but isn't used at the moment, so we're going to work on integration of it later. 2012-08-21 05:10:33 +01:00			`'';`

nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00			`patches =`
nss: 3.31 -> 3.32.1 2017-09-29 00:52:45 +01:00			`[`
nss: Update to 3.16 2014-04-22 13:54:36 +01:00			`# Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch`
nss: patch http location moved, let's keep it in filesystem 2014-01-22 09:46:29 +00:00			`./85_security_load.patch`
nss: Omit an extraneous definition; fix other problems on Darwin 2018-01-03 21:39:37 +00:00			`./ckpem.patch`
nss: 3.52.1 -> 3.54 2020-06-29 02:09:27 +01:00			`./fix-cross-compilation.patch`
nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00			`];`
NSS: version bump and patch to provide pkgconfig info. svn path=/nixpkgs/trunk/; revision=25366 2011-01-03 17:02:58 +00:00
nss: *Flags are lists 2019-10-26 16:39:27 +01:00			`patchFlags = [ "-p0" ];`
nss: 3.27.2 -> 3.28.1 2017-01-24 13:49:14 +00:00
pkgs/development/libraries: stdenv.lib -> lib 2021-01-21 17:00:13 +00:00			`postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''`
nss: set install name correctly 2020-08-03 03:02:14 +01:00			`substituteInPlace nss/coreconf/Darwin.mk --replace '@executable_path/$(notdir $@)' "$out/lib/\$(notdir \$@)"`
			`substituteInPlace nss/coreconf/config.gypi --replace "'DYLIB_INSTALL_NAME_BASE': '@executable_path'" "'DYLIB_INSTALL_NAME_BASE': '$out/lib'"`
			`'';`

treewide: Shuffle outputs Make either 'bin' or 'out' the first output. 2016-08-29 01:30:01 +01:00			`outputs = [ "out" "dev" "tools" ];`
nspr,nss: split into multiple outputs Hopefully most references are OK. 2015-10-05 16:45:54 +01:00
nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00			`preConfigure = "cd nss";`
* Updated NSS. svn path=/nixpkgs/trunk/; revision=16183 2009-07-06 10:12:44 +01:00
nss: 3.52.1 -> 3.54 2020-06-29 02:09:27 +01:00			`buildPhase = let`
			`getArch = platform: if platform.isx86_64 then "x64"`
			`else if platform.isx86_32 then "ia32"`
			`else if platform.isAarch32 then "arm"`
			`else if platform.isAarch64 then "arm64"`
nss: fix build on ppc64[le] NSS configure scripts use the abbreviated form ppc64/ppc64le: https://github.com/nss-dev/nss/blob/NSS_3_57_RTM/coreconf/config.gypi#L209 Whereas nixpkgs uses the longer form: `nix eval nixpkgs.pkgsCross.powernv.hostPlatform.parsed.cpu.name` `powerpc64le` 2020-11-02 04:29:29 +00:00			`else if platform.isPower && platform.is64bit then (`
			`if platform.isLittleEndian then "ppc64le" else "ppc64"`
			`)`
nss: 3.52.1 -> 3.54 2020-06-29 02:09:27 +01:00			`else platform.parsed.cpu.name;`
			`# yes, this is correct. nixpkgs uses "host" for the platform the binary will run on whereas nss uses "host" for the platform that the build is running on`
			`target = getArch stdenv.hostPlatform;`
			`host = getArch stdenv.buildPlatform;`
			`in ''`
			`runHook preBuild`

			`sed -i 's\|nss_dist_dir="$dist_dir"\|nss_dist_dir="'$out'"\|;s\|nss_dist_obj_dir="$obj_dir"\|nss_dist_obj_dir="'$out'"\|' build.sh`
			`./build.sh -v --opt \`
			`--with-nspr=${nspr.dev}/include:${nspr.out}/lib \`
			`--system-sqlite \`
			`--enable-legacy-db \`
			`--target ${target} \`
			`-Dhost_arch=${host} \`
			`-Duse_system_zlib=1 \`
nss: enable libpkix build this was enabled by default with the old build system, but requires this flag with the new one fixes ##93955 2020-07-29 19:31:14 +01:00			`--enable-libpkix \`
pkgs/development/libraries: stdenv.lib -> lib 2021-01-21 17:00:13 +00:00			`${lib.optionalString enableFIPS "--enable-fips"} \`
			`${lib.optionalString stdenv.isDarwin "--clang"} \`
			`${lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) "--disable-tests"}`
nss: 3.52.1 -> 3.54 2020-06-29 02:09:27 +01:00
			`runHook postBuild`
			`'';`

			`NIX_CFLAGS_COMPILE = "-Wno-error -DNIX_NSS_LIBDIR=\"${placeholder "out"}/lib/\"";`

			`installPhase = ''`
			`runHook preInstall`

nss: Remove redundant nss-config.in. This file is already contained in nss-3.12.5-gentoo-fixups.diff, so we don't need to do all that cruft twice. 2012-08-22 03:22:43 +01:00			`rm -rf $out/private`
nss: 3.52.1 -> 3.54 2020-06-29 02:09:27 +01:00			`find $out -name "*.TOC" -delete`
nss: Remove redundant nss-config.in. This file is already contained in nss-3.12.5-gentoo-fixups.diff, so we don't need to do all that cruft twice. 2012-08-22 03:22:43 +01:00			`mv $out/public $out/include`
nss: updated to version 3.13.3 to fix build errors on Linux 3.2 svn path=/nixpkgs/trunk/; revision=32834 2012-03-06 20:57:39 +00:00
nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00			`ln -s lib $out/lib64`
nss: 3.31 -> 3.32.1 2017-09-29 00:52:45 +01:00
			`# Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672`
			`# https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch?id=af1acce6c6d2c3adb17689261dfe2c2b6771ab8a`
			NSS_MAJOR_VERSION=`grep "NSS_VMAJOR" lib/nss/nss.h \| awk '{print $3}'`
			NSS_MINOR_VERSION=`grep "NSS_VMINOR" lib/nss/nss.h \| awk '{print $3}'`
			NSS_PATCH_VERSION=`grep "NSS_VPATCH" lib/nss/nss.h \| awk '{print $3}'`
			`PREFIX="$out"`

			`mkdir -p $out/lib/pkgconfig`
			`sed -e "s,%prefix%,$PREFIX," \`
			`-e "s,%exec_prefix%,$PREFIX," \`
			`-e "s,%libdir%,$PREFIX/lib64," \`
nss: fix includedir for pkgconfig 2017-10-09 19:49:11 +01:00			`-e "s,%includedir%,$dev/include/nss," \`
nss: 3.31 -> 3.32.1 2017-09-29 00:52:45 +01:00			`-e "s,%NSS_VERSION%,$NSS_MAJOR_VERSION.$NSS_MINOR_VERSION.$NSS_PATCH_VERSION,g" \`
			`-e "s,%NSPR_VERSION%,4.16,g" \`
			`pkg/pkg-config/nss.pc.in > $out/lib/pkgconfig/nss.pc`
			`chmod 0644 $out/lib/pkgconfig/nss.pc`

			`sed -e "s,@prefix@,$PREFIX," \`
			`-e "s,@MOD_MAJOR_VERSION@,$NSS_MAJOR_VERSION," \`
			`-e "s,@MOD_MINOR_VERSION@,$NSS_MINOR_VERSION," \`
			`-e "s,@MOD_PATCH_VERSION@,$NSS_PATCH_VERSION," \`
			`pkg/pkg-config/nss-config.in > $out/bin/nss-config`
			`chmod 0755 $out/bin/nss-config`
nss: Remove redundant nss-config.in. This file is already contained in nss-3.12.5-gentoo-fixups.diff, so we don't need to do all that cruft twice. 2012-08-22 03:22:43 +01:00			`'';`
nss: add option to use p11-kit This commit adds an option to replace libnssckbi with the p11-kit-trust[1] module. It makes all NSS application (like Firefox, Chromium, etc.) use the system trust store (/etc/ssl/certs/ in NixOS) and other PKCS#11 modules without ad-hoc configuration. This approach was first implemented in Fedora[2] and other distributions like Arch Linux, later. [1]: https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-nss.html [2]: https://fedoraproject.org/wiki/Features/SharedSystemCertificates 2020-08-31 10:07:34 +01:00
nss: remove usage of stdenv.lib 2021-01-31 15:07:26 +00:00			`postInstall = lib.optionalString useP11kit ''`
nss: add option to use p11-kit This commit adds an option to replace libnssckbi with the p11-kit-trust[1] module. It makes all NSS application (like Firefox, Chromium, etc.) use the system trust store (/etc/ssl/certs/ in NixOS) and other PKCS#11 modules without ad-hoc configuration. This approach was first implemented in Fedora[2] and other distributions like Arch Linux, later. [1]: https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-nss.html [2]: https://fedoraproject.org/wiki/Features/SharedSystemCertificates 2020-08-31 10:07:34 +01:00			`# Replace built-in trust with p11-kit connection`
			`ln -sf ${p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so`
			`'';`
nss: Sign libraries after striping. Running NSS in FIPS mode is only possible if the libraries are signed correctly, so we're doing this in the postFixup hook, to insure nothing gets altered after that phase. For more information about FIPS mode, please see: https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation 2012-08-21 20:35:46 +01:00
nss: cross compile support 2019-03-20 20:05:45 +00:00			`postFixup = let`
			`isCross = stdenv.hostPlatform != stdenv.buildPlatform;`
			`nss = if isCross then buildPackages.nss.tools else "$out";`
nss: make reproducible (#102156) According to https://hg.mozilla.org/projects/nss/file/c1fad130dce2081a5d6ce9f539c72d999f59afce/build.sh#l129 the FIPS mode is not enabled by default. Yet we generate the .chk files that are only meant to be used for that mode. I have a sense that those have been cargo-culted around. Adding FIPS is still possible but you have to explictily build the lib with `pkgs.nss.override { enableFIPS = true; }` More info on what FIPS is: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 Other distros wrangling with the same issue: https://bugzilla.opensuse.org/show_bug.cgi?id=1081723 2020-10-31 20:17:26 +00:00			`in`
pkgs/development/libraries: stdenv.lib -> lib 2021-01-21 17:00:13 +00:00			`(lib.optionalString enableFIPS (''`
nss: Sign libraries after striping. Running NSS in FIPS mode is only possible if the libraries are signed correctly, so we're doing this in the postFixup hook, to insure nothing gets altered after that phase. For more information about FIPS mode, please see: https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation 2012-08-21 20:35:46 +01:00			`for libname in freebl3 nssdbm3 softokn3`
nss: Omit an extraneous definition; fix other problems on Darwin 2018-01-03 21:39:37 +00:00			`do '' +`
			`(if stdenv.isDarwin`
			`then ''`
			`libfile="$out/lib/lib$libname.dylib"`
			`DYLD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \`
			`'' else ''`
			`libfile="$out/lib/lib$libname.so"`
			`LD_LIBRARY_PATH=$out/lib:${nspr.out}/lib \`
			`'') + ''`
nss: cross compile support 2019-03-20 20:05:45 +00:00			`${nss}/bin/shlibsign -v -i "$libfile"`
nss: Sign libraries after striping. Running NSS in FIPS mode is only possible if the libraries are signed correctly, so we're doing this in the postFixup hook, to insure nothing gets altered after that phase. For more information about FIPS mode, please see: https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation 2012-08-21 20:35:46 +01:00			`done`
fixup! nss: make reproducible (#102156) Fixes a precedence issue from fe9f55907e2a42b675e161de3d5e6a740385c479 `lib.optionalString <cond> 'text' + 'text2'` will always have 'text2' as part of the result. 2020-11-02 10:54:40 +00:00			`'')) +`
nss: make reproducible (#102156) According to https://hg.mozilla.org/projects/nss/file/c1fad130dce2081a5d6ce9f539c72d999f59afce/build.sh#l129 the FIPS mode is not enabled by default. Yet we generate the .chk files that are only meant to be used for that mode. I have a sense that those have been cargo-culted around. Adding FIPS is still possible but you have to explictily build the lib with `pkgs.nss.override { enableFIPS = true; }` More info on what FIPS is: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6 Other distros wrangling with the same issue: https://bugzilla.opensuse.org/show_bug.cgi?id=1081723 2020-10-31 20:17:26 +00:00			`''`
rename moveToOutput and propagatedBuildInputs 2015-12-02 09:03:23 +00:00			`moveToOutput bin "$tools"`
			`moveToOutput bin/nss-config "$dev"`
			`moveToOutput lib/libcrmf.a "$dev" # needed by firefox, for example`
nss: Omit an extraneous definition; fix other problems on Darwin 2018-01-03 21:39:37 +00:00			`rm -f "$out"/lib/*.a`
nss: 3.52.1 -> 3.54 2020-06-29 02:09:27 +01:00
			`runHook postInstall`
nss: Sign libraries after striping. Running NSS in FIPS mode is only possible if the libraries are signed correctly, so we're doing this in the postFixup hook, to insure nothing gets altered after that phase. For more information about FIPS mode, please see: https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation 2012-08-21 20:35:46 +01:00			`'';`
nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00
pkgs/development/libraries: stdenv.lib -> lib 2021-01-21 17:00:13 +00:00			`meta = with lib; {`
treewide: Per RFC45, remove all unquoted URLs 2020-04-01 02:11:51 +01:00			`homepage = "https://developer.mozilla.org/en-US/docs/NSS";`
nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00			`description = "A set of libraries for development of security-enabled client and server applications";`
nss: add license 2018-08-17 22:55:36 +01:00			`license = licenses.mpl20;`
			`platforms = platforms.all;`
nss: Update to 3.15.1 2013-08-07 15:17:58 +01:00			`};`
Added Mozilla NSS, NSPR and Gaim to Nix. Gaim in Nix supports SSL svn path=/nixpkgs/trunk/; revision=3676 2005-08-24 10:54:42 +01:00			`}`