fix(env): preserve user-set NIX_SSL_CERT_FILE / SSL_CERT_FILE#2896
Open
mikeland73 wants to merge 1 commit into
Open
fix(env): preserve user-set NIX_SSL_CERT_FILE / SSL_CERT_FILE#2896mikeland73 wants to merge 1 commit into
mikeland73 wants to merge 1 commit into
Conversation
Adding a package that pulls in nss-cacert (e.g. httpie, python) caused the Nix dev-env to set NIX_SSL_CERT_FILE/SSL_CERT_FILE to a Nix store CA bundle, overwriting a value the user had deliberately exported in their own environment. For users behind a corporate MITM/proxy that requires a custom CA bundle, this broke outbound TLS for the rest of the project. Restore the user's own certificate-bundle variables after layering the Nix dev-env, so an explicitly set value wins while the Nix default is still used when the user hasn't set one. This mirrors how `nix shell` leaves these untouched. Fixes #2604 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01C1aHkQxSgAg5xYXsm1pYRQ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #2604.
Adding a package that pulls in
nss-cacert(for examplehttpie, or anything depending onpython) silently changedNIX_SSL_CERT_FILEinside the Devbox environment:On machines behind a corporate MITM/proxy, users set
NIX_SSL_CERT_FILE(andSSL_CERT_FILE) to a custom CA bundle so that TLS works. When Nix's build environment injected its own store CA bundle, that user value was overwritten and outbound TLS broke for the rest of the project (e.g.bundle installfailing). Plainnix shell nixpkgs#httpieleaves the variable untouched, so the behavior was also inconsistent with Nix itself.Root cause
computeEnv(internal/devbox/devbox.go) layers the output ofnix print-dev-envon top of the ambient environment, unconditionally overwriting duplicate keys:When a package brings in
nss-cacert, its setup hook setsNIX_SSL_CERT_FILE/SSL_CERT_FILEto a Nix store path, and that value wins over whatever the user had exported. Devbox already special-casesSSL_CERT_FILEfor the/no-cert-file.crtsentinel, but nothing protected a real user-provided value, andNIX_SSL_CERT_FILEwasn't handled at all.Fix
After layering the Nix dev-env, restore the user's own certificate-bundle variables (captured in
originalEnvbefore the merge) when they had explicitly set them:NIX_SSL_CERT_FILE/SSL_CERT_FILE→ their value is kept (custom CA bundle keeps working).This mirrors how
nix shellleaves these variables untouched, and is scoped strictly to the two certificate-bundle variables so the rest of the env layering is unaffected.cc @jay-aye-see-kay (issue reporter) — thanks for the detailed write-up and for narrowing it down to the env layering.
How was it tested?
go test ./internal/devbox/ -run 'SSLCert|ComputeEnv'— passes.TestPreserveUserSSLCertFiles(unit test for the restore helper) andTestComputeEnvPreservesUserSSLCertFile(end-to-end throughcomputeEnvwith a Nix mock that returns the store CA bundle). The latter fails before this change (returns the Nix store path) and passes after.gofmtandgo vet ./internal/devbox/are clean.Community Contribution License
All community contributions in this pull request are licensed to the project
maintainers under the terms of the
Apache 2 License.
By creating this pull request, I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 License as stated in
the
Community Contribution License.
🤖 Generated with Claude Code
https://claude.ai/code/session_01C1aHkQxSgAg5xYXsm1pYRQ
Generated by Claude Code