Make /usr/bin/security available in pure nix shell

avdv · avdv · commit 31171a520f49 · 2023-12-18T15:16:06.000+01:00
Downloading from https://hackage.haskell.org/ would otherwise fail with: ``` HttpExceptionRequest Request { host = "hackage.haskell.org" port = 443 secure = True requestHeaders = [("Accept-Encoding",""),("User-Agent","Haskell pantry package")] path = "/root.json" queryString = "" method = "GET" proxy = Nothing rawBody = False redirectCount = 10 responseTimeout = ResponseTimeoutDefault requestVersion = HTTP/1.1 proxySecureMode = ProxySecureWithConnect } (InternalException (HandshakeFailed (Error_Protocol "certificate rejected: security: createProcess: posix_spawnp: does not exist (No such file or directory)" CertificateUnknown))) ``` See commercialhaskell/stack#4558
diff --git a/shell.nix b/shell.nix
@@ -1,6 +1,13 @@
 { pkgs ? import ./nixpkgs { }, docTools ? true, ghcVersion ? "9.2.8" }:
 
 with pkgs;
+
+let
+  macOS-security =
+    # make `/usr/bin/security` available in `PATH`, which is needed for stack
+    # on darwin which calls this binary to find certificates
+    writeScriptBin "security" ''exec /usr/bin/security "$@"'';
+in
 mkShell {
   # XXX: hack for macosX, this flags disable bazel usage of xcode
   # Note: this is set even for linux so any regression introduced by this flag
@@ -36,7 +43,9 @@ mkShell {
     # check the start script for problems
     shellcheck
     file
-  ] ++ lib.optionals docTools [ graphviz python39Packages.sphinx zip unzip ];
+  ]
+  ++ lib.optionals docTools [ graphviz python39Packages.sphinx zip unzip ]
+  ++ lib.optional stdenv.isDarwin macOS-security;
 
   packages = [ bazel_6 ];
 
