qdigidoc: fix TSL loading

These are what's used to regularly push new certificate fingerprints to clients, so we need to keep the original URL configured. Use the same approach as fedora, ship an "initial" TSL as a patch, and also patch out the downloading part during the build phase. This seems to reliably get ID Card and SmartID signing to work again. Fixes #334397. Fixes #307927. (cherry picked from commit 0e29f00)
NixOS · Nov 20, 2024 · ba65002 · ba65002
1 parent 9ad7b04
commit ba65002
Show file tree

Hide file tree

Showing 2 changed files with 11,128 additions and 11 deletions.
diff --git a/pkgs/tools/security/qdigidoc/default.nix b/pkgs/tools/security/qdigidoc/default.nix
@@ -31,21 +31,15 @@ mkDerivation rec {
       url = "https://github.com/open-eid/DigiDoc4-Client/commit/bb324d18f0452c2ab1b360ff6c42bb7f11ea60d7.patch";
       hash = "sha256-JpaU9inupSDsZKhHk+sp5g+oUynVFxR7lshjTXoFIbU=";
     })
-  ];
 
-  # Check https://dss.nowina.lu/tl-info, "Pivots loaded" section
-  tsl = fetchurl {
-    url = "https://ec.europa.eu/tools/lotl/eu-lotl-pivot-341.xml";
-    hash = "sha256-/TI8qYxXzourjGFPBpsQzi9Depi7lLQ2JaV+FyP0FtE=";
-  };
+    # Regularly update this with what's on https://src.fedoraproject.org/rpms/qdigidoc/blob/rawhide/f/sandbox.patch
+    # This prevents attempts to download TSL lists inside the build sandbox.
+    # The list files are regularly updated (get new signatures), though this also happens at application runtime.
+    ./sandbox.patch
+  ];
 
   nativeBuildInputs = [ cmake gettext pkg-config qttools ];
 
-  postPatch = ''
-    substituteInPlace client/CMakeLists.txt \
-      --replace $\{TSL_URL} file://${tsl}
-  '';
-
   buildInputs = [
     flatbuffers
     libdigidocpp