[Backport staging-next-25.11] cacert 3.117 -> 3.121 (#493496)

mdaniels5757 · web-flow · commit ec01da1f57d0 · 2026-02-24T13:21:24.000Z
diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix
@@ -2,15 +2,12 @@
   lib,
   stdenv,
   writeText,
-  fetchFromGitHub,
+  fetchurl,
   buildcatrust,
   blacklist ? [ ],
   extraCertificateFiles ? [ ],
   extraCertificateStrings ? [ ],
 
-  # Used by update.sh
-  nssOverride ? null,
-
   # Used for tests only
   runCommand,
   cacert,
@@ -23,10 +20,9 @@ let
     lib.concatStringsSep "\n\n" extraCertificateStrings
   );
 
-  srcVersion = "3.117";
-  version = if nssOverride != null then nssOverride.version else srcVersion;
+  version = "3.121";
   meta = {
-    homepage = "https://curl.haxx.se/docs/caextract.html";
+    homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers";
     description = "Bundle of X.509 certificates of public Certificate Authorities (CA)";
     platforms = lib.platforms.all;
     maintainers = with lib.maintainers; [
@@ -35,40 +31,31 @@ let
     ];
     license = lib.licenses.mpl20;
   };
-  certdata = stdenv.mkDerivation {
-    pname = "nss-cacert-certdata";
-    inherit version;
-
-    src =
-      if nssOverride != null then
-        nssOverride.src
-      else
-        fetchFromGitHub {
-          owner = "nss-dev";
-          repo = "nss";
-          rev = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM";
-          hash = "sha256-sAs0TiV3TK/WtgHvEjl2KFAgebyWZYmcRcmxjpn2AME=";
-        };
-
-    dontBuild = true;
-
-    installPhase = ''
-      runHook preInstall
-
-      mkdir $out
-      cp lib/ckfw/builtins/certdata.txt $out
-
-      runHook postInstall
-    '';
-
-    inherit meta;
-  };
 in
 stdenv.mkDerivation {
   pname = "nss-cacert";
   inherit version;
 
-  src = certdata;
+  src = fetchurl {
+    urls =
+      let
+        # This file is effectively a public interface, see the homepage link
+        file = "lib/ckfw/builtins/certdata.txt";
+        tag = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM";
+      in
+      [
+        # Prefer mercurial as the canonical source, while github is just a mirror
+        "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}"
+        "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}"
+      ];
+    hash = "sha256-O5jU4/9XoybZWHwzYzA5yMOpzwtV98pYHXWY/zKesfM=";
+  };
+
+  unpackPhase = ''
+    runHook preUnpack
+    cp "$src" "$(stripHash "$src")"
+    runHook postUnpack
+  '';
 
   outputs = [
     "out"
diff --git a/pkgs/by-name/ca/cacert/update.sh b/pkgs/by-name/ca/cacert/update.sh
@@ -25,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.."
 
 
 CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
-PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out")
+PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs { src = nss_latest.src + \"/lib/ckfw/builtins/certdata.txt\"; }).out")
 
 # Check the hash of the etc subfolder
 # We can't check the entire output as that contains the nix-support folder
@@ -35,5 +35,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
 
 if [[ "$CURRENT_HASH" !=  "$PATCHED_HASH" ]]; then
     NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .)
-    update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
+    update-source-version cacert "$NSS_VERSION"
 fi
