Merge remote-tracking branch 'nixpkgs/nixos-unstable'

1 files changed, 11 insertions, 3 deletions

diff --git a/nixpkgs/pkgs/development/libraries/nss/default.nix b/nixpkgs/pkgs/development/libraries/nss/default.nix
index 8c98d7ae9bbd..81a51c7beaea 100644
--- a/nixpkgs/pkgs/development/libraries/nss/default.nix
+++ b/nixpkgs/pkgs/development/libraries/nss/default.nix
@@ -1,4 +1,7 @@
-{ lib, stdenv, fetchurl, nspr, perl, zlib, sqlite, darwin, fixDarwinDylibNames, buildPackages, ninja
+{ lib, stdenv, fetchurl, nspr, perl, zlib
+, sqlite, ninja
+, darwin, fixDarwinDylibNames, buildPackages
+, useP11kit ? true, p11-kit
 , # allow FIPS mode. Note that this makes the output non-reproducible.
   # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6
   enableFIPS ? false
@@ -15,7 +18,7 @@ let
   #       It will rebuild itself using the version of this package (NSS) and if
   #       an update is required do the required changes to the expression.
   #       Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
-  version = "3.60";
+  version = "3.62";
   underscoreVersion = builtins.replaceStrings ["."] ["_"] version;
 
 in stdenv.mkDerivation rec {
@@ -24,7 +27,7 @@ in stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz";
-    sha256 = "0ggyj3ax3kal65sl1vl4nfhx2s08blg4dg8iwlxcax5qb9bxbaw4";
+    sha256 = "0y2ld90bncjjggrn64c7g7mq9i03z6dc3r2kz978snz2xiydzml6";
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
@@ -139,6 +142,11 @@ in stdenv.mkDerivation rec {
     chmod 0755 $out/bin/nss-config
   '';
 
+  postInstall = lib.optionalString useP11kit ''
+    # Replace built-in trust with p11-kit connection
+    ln -sf ${p11-kit}/lib/pkcs11/p11-kit-trust.so $out/lib/libnssckbi.so
+  '';
+
   postFixup = let
     isCross = stdenv.hostPlatform != stdenv.buildPlatform;
     nss = if isCross then buildPackages.nss.tools else "$out";