From b7cde90c6b479562eb9f1d9df399d04cf9c42aad Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Thu, 11 May 2023 13:09:02 +0200 Subject: [PATCH] Call getDefaultSSLCertFile() only when none is specified This does pathExists on various paths, which crashes on EPERM in the macOS sandbox. --- src/libstore/globals.cc | 2 ++ src/libstore/globals.hh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index 4c66d08ee..a196c10e6 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -57,6 +57,8 @@ Settings::Settings() auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or("")); if (sslOverride != "") caFile = sslOverride; + else if (caFile == "") + caFile = getDefaultSSLCertFile(); /* Backwards compatibility. */ auto s = getEnv("NIX_REMOTE_SYSTEMS"); diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 31dfe5b4e..34b4f24a7 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -842,7 +842,7 @@ public: )"}; Setting caFile{ - this, getDefaultSSLCertFile(), "ssl-cert-file", + this, "", "ssl-cert-file", R"( The path of a file containing CA certificates used to authenticate `https://` downloads. Nix by default will use