| Message ID | 20210804071545.21181-24-pukkamustard@posteo.net |
|---|---|
| State | Accepted |
| Headers | show |
| Series | gnu: Add ocaml-cohttp-lwt-unix. | expand |
| Context | Check | Description |
|---|---|---|
| cbaines/comparison | success | View comparision |
| cbaines/git branch | success | View Git branch |
| cbaines/applying patch | success | View Laminar job |
| cbaines/issue | success | View issue |
Xinglu Chen <public@yoctocell.xyz> writes: >> + ;; Tests are failing as they require >> certificates to be in /etc/ssl/certs >> + #:tests? #f)) > > The same issue has been mentioned by NixOS people on their bug > tracker[1], they solved[2] it by reading the NIX_SSL_CERT_FILE > environment variable, which automatically gets set in the build > environment if the ‘cacert’ package is specified as an input. I > don’t > know if Guix does something similar. > > [1]: <https://github.com/mirage/ca-certs/issues/16> > [2]: <https://github.com/mirage/ca-certs/pull/17> > Thanks for the pointers. Inspired by the package definition for curl, I tried setting NIX_SSL_CERT_FILE with native-search-paths: ``` (native-search-paths (list (search-path-specification (variable "NIX_SSL_CERT_FILE") (file-type 'regular) (separator #f) ;single entry (files '("/etc/ssl/certs/ca-certificates.crt"))))) ``` and adding `nss-certs` to the native-inputs. However, this does not work. Some observations/questions: - The NIX_SSL_CERT_FILE does not appear in the `environment-variables` file when running `guix build -K`. I would have expected it to be set there. - `nss-certs` does not provide the `ca-certificates.crt` file. It is built when creating a profile with the `ca-certificate-bundle` hook. Is this run when creating a build environment? I seem to be not understanding a lot of things about the build environment ... Pointers very welcome! >> + (propagated-inputs >> + `(("ocaml-astring" ,ocaml-astring) >> + ("ocaml-bos" ,ocaml-bos) >> + ("ocaml-fpath" ,ocaml-fpath) >> + ("ocaml-rresult" ,ocaml-rresult) >> + ("ocaml-ptime" ,ocaml-ptime) >> + ("ocaml-logs" ,ocaml-logs) >> + ("ocaml-mirage-crypto" ,ocaml-mirage-crypto) >> + ("ocaml-x509" ,ocaml-x509))) >> + (native-inputs >> + `(("ocaml-alcotest" ,ocaml-alcotest))) >> + (synopsis >> + "Detect root CA certificates from the operating system") >> + (description >> + "TLS requires a set of root anchors (Certificate >> Authorities) to >> +authenticate servers. This library exposes this list so that >> it can be > ^ > Double spacing. Fixed in V2.
On Sun, Aug 08 2021, pukkamustard wrote: > Xinglu Chen <public@yoctocell.xyz> writes: > >>> + ;; Tests are failing as they require >>> certificates to be in /etc/ssl/certs >>> + #:tests? #f)) >> >> The same issue has been mentioned by NixOS people on their bug >> tracker[1], they solved[2] it by reading the NIX_SSL_CERT_FILE >> environment variable, which automatically gets set in the build >> environment if the ‘cacert’ package is specified as an input. I >> don’t >> know if Guix does something similar. >> >> [1]: <https://github.com/mirage/ca-certs/issues/16> >> [2]: <https://github.com/mirage/ca-certs/pull/17> >> > > Thanks for the pointers. > > Inspired by the package definition for curl, I tried setting > NIX_SSL_CERT_FILE with native-search-paths: > > ``` > (native-search-paths > (list > (search-path-specification > (variable "NIX_SSL_CERT_FILE") > (file-type 'regular) > (separator #f) ;single entry > (files '("/etc/ssl/certs/ca-certificates.crt"))))) > ``` > > and adding `nss-certs` to the native-inputs. > > However, this does not work. Some observations/questions: > > - The NIX_SSL_CERT_FILE does not appear in the > `environment-variables` file when running `guix build -K`. I > would have expected it to be set there. > - `nss-certs` does not provide the `ca-certificates.crt` file. It > is built when creating a profile with the > `ca-certificate-bundle` hook. Is this run when creating a build > environment? > > I seem to be not understanding a lot of things about the build > environment ... Pointers very welcome! Maybe the environment variables in ‘native-search-paths’ are only set if the package is installed in a profile (in ~/.guix-profile/etc/profile)? I don’t think profile hooks are run in the build environment, so that’s probably why. In Nix, the bundle is created during the build phase[1], not sure if we should do this too. I think it’s fine to disable tests for now, but it would be great to see what other people think too. [1]: https://github.com/nixos/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix#L53
diff --git a/gnu/packages/ocaml.scm b/gnu/packages/ocaml.scm index 3ce07057f5..e832adc069 100644 --- a/gnu/packages/ocaml.scm +++ b/gnu/packages/ocaml.scm @@ -7772,6 +7772,44 @@ which is also implemented by this library - namely PKCS 1, PKCS 5, PKCS 7, PKCS 8, PKCS 9, PKCS 10, and PKCS 12.") (license license:bsd-2))) +(define-public ocaml-ca-certs + (package + (name "ocaml-ca-certs") + (version "0.2.1") + (home-page "https://github.com/mirage/ca-certs") + (source + (origin + (method git-fetch) + (uri (git-reference + (url home-page) + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "0qkxdrqyah24fz80hwkycdj50nybfjfz9b04qscv01r2ifb0kqy5")))) + (build-system dune-build-system) + (arguments `(#:test-target "." + ;; Tests are failing as they require certificates to be in /etc/ssl/certs + #:tests? #f)) + (propagated-inputs + `(("ocaml-astring" ,ocaml-astring) + ("ocaml-bos" ,ocaml-bos) + ("ocaml-fpath" ,ocaml-fpath) + ("ocaml-rresult" ,ocaml-rresult) + ("ocaml-ptime" ,ocaml-ptime) + ("ocaml-logs" ,ocaml-logs) + ("ocaml-mirage-crypto" ,ocaml-mirage-crypto) + ("ocaml-x509" ,ocaml-x509))) + (native-inputs + `(("ocaml-alcotest" ,ocaml-alcotest))) + (synopsis + "Detect root CA certificates from the operating system") + (description + "TLS requires a set of root anchors (Certificate Authorities) to +authenticate servers. This library exposes this list so that it can be +registered with ocaml-tls.") + (license license:isc))) + (define-public js-of-ocaml (package (name "js-of-ocaml")