[Chore] Check host certiticate explicitly

Problem: 'libgit2' now performce host certificate checking when connecting to a git hosting through ssh. However, it only checks '~/.ssh/known_hosts` for the list of known hosts, while on NixOS and home-manager known host files are defined in 'GlobalKnownHostsFile' anb 'UserKnownHostsFile' attributes of the OpenSSH config file. As a result, 'update-daemon' failes to check 'github.com' and 'gitlab.com' host certificates. Solution: Explicitly check git host certificate against the list of known hosts from 'GlobalKnownHostsFile' and 'UserKnownHostsFile' taken from '/etc/ssh/ssh_config' and '~/.ssh/config' respectively using 'ssh2-rs'.
serokell · Mar 19, 2024 · d8e43e5 · d8e43e5
1 parent 41ae852
commit d8e43e5
Show file tree

Hide file tree

Showing 7 changed files with 278 additions and 42 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,3 +27,9 @@ chrono = "0.4"
 indexmap = { version = "1.9", features = [ "serde", "serde-1" ] }
 merge = "0.1"
 gpgme = "0.10.0"
+ssh2 = "0.9"
+ssh2-config = "0.2"
+
+# Remove once changes are appear in upstream and the new crate version is released
+[patch.crates-io]
+ssh2-config = { git = "https://github.com/serokell/ssh2-config.git", branch = "rvem/populate-ignored-fields-with-ignored-instead-of-unparsed" }
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -11,12 +11,18 @@
   inputs = {
     flake-compat.flake = false;
     naersk.url = "github:nix-community/naersk";
+    # Needed for libgit2-1.7.2. TODO: remove after repin
+    nixpkgs-unstable.url = "github:nixos/nixpkgs";
   };
 
-  outputs = { self, nixpkgs, flake-utils, serokell-nix, naersk, ... }:
+  outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, serokell-nix, naersk, ... }:
     flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
       let
-        pkgs = nixpkgs.legacyPackages.${system}.extend serokell-nix.overlay;
+        pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
+        pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [
+          serokell-nix.overlay
+          (_: _: { libgit2 = pkgs-unstable.libgit2; })
+        ];
         naersk' = pkgs.callPackage naersk {};
         nix = pkgs.nix;
 
@@ -34,6 +40,7 @@
           buildInputs = [
             pkgs.openssl
             pkgs.libgit2
+            pkgs.libssh2
             pkgs.libgpg-error
             pkgs.gpgme
           ];
@@ -54,6 +61,9 @@
                 -A clippy::cast-possible-truncation \
                 -A clippy::nonminimal_bool''
           ];
+          # Force using libgit2 from nix environment
+          LIBGIT2_NO_VENDOR = 1;
+          LIBSSH2_SYS_USE_PKG_CONFIG = 1;
         };
       in {
         packages = {
@@ -83,6 +93,11 @@
             pkg-config
             reuse
             libgit2
+            pkgs.openssl
+            pkgs.libgit2
+            pkgs.libssh2
+            pkgs.libgpg-error
+            pkgs.gpgme
           ];
         };
       }) // {