NixOS
[RFC]: feat: use OSX keychain
Motivation
make it easier for people to use their OSX keychain to provide the SSL CA.
Context
Uses security find-certificate -a -p to write a file. This is probably not the right approach.
Alternatives
- considering a
nix config get-certificatescommand nix doctor- better error messages
Add :+1: to pull requests you find important.
Or just run during install:
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain | sudo tee /etc/ssl/certs/ca-certificates.crt
The Nix maintainer team uses a GitHub project board to schedule and track reviews.
This looks useful. I agree that writing to a file is not ideal. Also changing caFile isn't great, because nix config show will dump will show the effect of an option, instead of its value.
Also overwriting the file isn't great, especially because writeFile is not atomic; it should write to a temporary file in the same directory and then move it atomically. Perhaps read and compare it first to avoid unnecessary I/O.
Furthermore we shouldn't write the file if we don't need it. We seem to have two use cases for this option
- fetching with a library (curl, s3)
- on linux: mount it into the build sandbox
For the prior, we probably don't need to write it out. The latter might be a new feature in the darwin sandbox, or does that already just work?
