go: use NIX_SSL_CERT_FILE for crypto/x509

[LnL7]

Motivation for this change

Fixes issues with crypto/x509 since SSL_CERT_FILE was renamed to NIX_SSL_CERT_FILE, eg.

$ go get -v gopkg.in/yaml/v1
Fetching https://gopkg.in/yaml/v1?go-get=1
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x178a91f]

runtime stack:
runtime.throw(0x149e811, 0x2a)
	/nix/store/w1990ccmglr59q6aqj60gf6fz63619nq-go-1.8/share/go/src/runtime/panic.go:596 +0x95
runtime.sigpanic()
	/nix/store/w1990ccmglr59q6aqj60gf6fz63619nq-go-1.8/share/go/src/runtime/signal_unix.go:274 +0x2db

/cc @zimbatm

Things done

• Tested using sandboxing
  (nix.useSandbox on NixOS,
  or option build-use-sandbox in nix.conf
  on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • Linux
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

---

[mention-bot]

@LnL7, thanks for your PR! By analyzing the history of the files in this pull request, we identified @avnik, @globin and @edolstra to be potential reviewers.

[Mic92]

Is this also relevant for nixos (regarding backport)?

[LnL7]

I would say yes. A single user install only sets NIX_SSL_CERT_FILE so go would not use the cert bundle from nixpkgs unlike other tools like curl, git, ...

[zimbatm]

This will fix the segfaults on Darwin but is really a workaround.

As a general rule, programs should read from the host's CA. Otherwise it's not possible for users to set their own certificate chains for internal networks.

[Mic92]

In that case I would rather have this patch, if not necessary (on linux).

[LnL7]

@zimbatm There's no file with the cert bundle on darwin so it's not possible to use the host's CA like on other systems. I don't know if this is an issue with cgo or the loadSystemRoots implementation.

[zimbatm]

This seems to be related to our issue: golang/go#17972 . Basically Go's interface to the native Mac TLS/CA library is not very stable.

I agree that the patch could be applied only on Darwin as it's a workaround just for that platform. Actually it could also come in handy in a nix sandbox fetcher environment

[copumpkin]

Why does this need to be set in the build env?

[edolstra]

Yeah, it's unclear to me why Go would need a certificate bundle at build time. Is it going to download something via https?

[copumpkin]

I hope not! Perhaps it does some sort of sanity check during tests? Seems weird though...

[LnL7]

Yes, it's for the tests

[copumpkin]

So it seems like we should open a separate issue about the cgo interface to the mac native certificate chain, since that should work as a fallback, even if we merge this.

[Gabriella439]

I ran into this issue today. If you have an older Nix installation (like I did) which defines SSL_CERT_FILE instead of NIX_SSL_CERT_FILE you need to update your profile to add:

export NIX_SSL_CERT_FILE="${SSL_CERT_FILE}"

... and then the segmentation fault goes away