Call getDefaultSSLCertFile() only when none is specified

This does pathExists on various paths, which crashes on EPERM in the macOS sandbox.
author: Yorick van Pelt <yorick@yorickvanpelt.nl> 2023-05-11 13:09:02 +0200
committer: Yorick van Pelt <yorick@yorickvanpelt.nl> 2023-05-26 15:36:45 +0200
commit: b7cde90c6b479562eb9f1d9df399d04cf9c42aad (patch)
tree: 9a0e928dad526cc6f31c169145f5063d2a016983 /src/libstore
parent: be4890747051de0e489d608fdba65489c45d2b02 (diff)
2 files changed, 3 insertions, 1 deletions
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 4c66d08ee..a196c10e6 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -57,6 +57,8 @@ Settings::Settings()
     auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
     if (sslOverride != "")
         caFile = sslOverride;
+    else if (caFile == "")
+        caFile = getDefaultSSLCertFile();
 
     /* Backwards compatibility. */
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 31dfe5b4e..34b4f24a7 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -842,7 +842,7 @@ public:
         )"};
 
     Setting<Path> caFile{
-        this, getDefaultSSLCertFile(), "ssl-cert-file",
+        this, "", "ssl-cert-file",
         R"(
           The path of a file containing CA certificates used to
           authenticate `https://` downloads. Nix by default will use
author	Yorick van Pelt <yorick@yorickvanpelt.nl>	2023-05-11 13:09:02 +0200
committer	Yorick van Pelt <yorick@yorickvanpelt.nl>	2023-05-26 15:36:45 +0200
commit	b7cde90c6b479562eb9f1d9df399d04cf9c42aad (patch)
tree	9a0e928dad526cc6f31c169145f5063d2a016983 /src/libstore
parent	be4890747051de0e489d608fdba65489c45d2b02 (diff)