On Sun, Aug 08 2021, pukkamustard wrote: > Xinglu Chen writes: > >>> + ;; Tests are failing as they require >>> certificates to be in /etc/ssl/certs >>> + #:tests? #f)) >> >> The same issue has been mentioned by NixOS people on their bug >> tracker[1], they solved[2] it by reading the NIX_SSL_CERT_FILE >> environment variable, which automatically gets set in the build >> environment if the ‘cacert’ package is specified as an input. I >> don’t >> know if Guix does something similar. >> >> [1]: >> [2]: >> > > Thanks for the pointers. > > Inspired by the package definition for curl, I tried setting > NIX_SSL_CERT_FILE with native-search-paths: > > ``` > (native-search-paths > (list > (search-path-specification > (variable "NIX_SSL_CERT_FILE") > (file-type 'regular) > (separator #f) ;single entry > (files '("/etc/ssl/certs/ca-certificates.crt"))))) > ``` > > and adding `nss-certs` to the native-inputs. > > However, this does not work. Some observations/questions: > > - The NIX_SSL_CERT_FILE does not appear in the > `environment-variables` file when running `guix build -K`. I > would have expected it to be set there. > - `nss-certs` does not provide the `ca-certificates.crt` file. It > is built when creating a profile with the > `ca-certificate-bundle` hook. Is this run when creating a build > environment? > > I seem to be not understanding a lot of things about the build > environment ... Pointers very welcome! Maybe the environment variables in ‘native-search-paths’ are only set if the package is installed in a profile (in ~/.guix-profile/etc/profile)? I don’t think profile hooks are run in the build environment, so that’s probably why. In Nix, the bundle is created during the build phase[1], not sure if we should do this too. I think it’s fine to disable tests for now, but it would be great to see what other people think too. [1]: https://github.com/nixos/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix#L53