gitRepo: Fix an error due to missing TLS certificates

This was a problem when run inside a sandbox, e.g. via
"fetchRepoProject". The error message from repo seems unrelated:

fatal: Cannot get https://gerrit.googlesource.com/git-repo/clone.bundle
fatal: error no host given

But the exception is actually thrown due to missing certificates
(/etc/ssl/certs). It should be possible to provide another location via
environment variables (e.g. SSL_CERT_FILE, REQUESTS_CA_BUNDLE or
CURL_CA_BUNDLE) but apparently that doesn't actually work for some
reason (would have to study our Python packaging).

Now "fetchRepoProject" works without the "--no-clone-bundle" option.

1 files changed, 12 insertions, 4 deletions

diff --git a/pkgs/applications/version-management/git-repo/default.nix b/pkgs/applications/version-management/git-repo/default.nix
index 808e7b1850d1..e0aed206b750 100644
--- a/pkgs/applications/version-management/git-repo/default.nix
+++ b/pkgs/applications/version-management/git-repo/default.nix
@@ -1,5 +1,6 @@
 { stdenv, fetchFromGitHub, makeWrapper
-, python, git, gnupg1compat, less }:
+, python, git, gnupg, less, cacert
+}:
 
 stdenv.mkDerivation rec {
   name = "git-repo-${version}";
@@ -13,16 +14,23 @@ stdenv.mkDerivation rec {
   };
 
   nativeBuildInputs = [ makeWrapper ];
-  buildInputs = [ python git gnupg1compat less ];
+  buildInputs = [ python ];
+
+  # TODO: Cleanup
+  patchPhase = ''
+    CA_PATH="$(echo '${cacert}/etc/ssl/certs/ca-bundle.crt' | sed 's/\//\\\//g')" # / -> \/
+    sed -i -E 's/urlopen\(url\)/urlopen(url, cafile="'$CA_PATH'")/' repo
+  '';
 
   installPhase = ''
     mkdir -p $out/bin
-    cp $src/repo $out/bin/repo
+    cp repo $out/bin/repo
   '';
 
+  # Important runtime dependencies
   postFixup = ''
     wrapProgram $out/bin/repo --prefix PATH ":" \
-      "${stdenv.lib.makeBinPath [ git gnupg1compat less ]}"
+      "${stdenv.lib.makeBinPath [ git gnupg less ]}"
   '';
 
   meta = with stdenv.lib; {