NIX_SSL_CERT_FILE unreadable on darwin with sandbox enabled

[TomaSajt]

Describe the bug

NIX_SSL_CERT_FILE seems to be unreadable on Darwin systems with sandboxing enabled.

This breaks many things in nixpkgs, e.g. fetchgit and rustPlatform.fetchCargoVendor

fetchCargoVendor failure: NixOS/nixpkgs#385366
fetchgit failure: NixOS/nixpkgs#385366 (comment)

Steps To Reproduce

Could someone with an actual darwin machine confirm this? Thanks :)

I think this is how you reproduce it

1. install nix on a Darwin system
2. have sandboxing enabled
3. in a FOD derivation, have impureEnvVars = lib.fetchers.proxyImpureEnvVars (a list that contains NIX_SSL_CERT_FILE among others)
4. in the FOD's build script do the following:
   4.1. make sure $NIX_SSL_CERT_FILE is actually set to the proper value instead of the fallback /no-cert-file.crt value
   4.2. do cat "$NIX_SSL_CERT_FILE"
5. get a permission error (which I'm assuming means that it is blocked by the sandbox)

Additional context

Using a relaxed sandbox seems to work fine.

Checklist

• checked latest Nix manual (source)
• checked open bug issues and pull requests for possible duplicates

---

Add 👍 to issues you find important.

[n8henrie]

Thanks for opening this.

Repro for me:

$ nix config show sandbox
true
$ nix repl nixpkgs#legacyPackages.aarch64-darwin
Nix 2.24.12
Type :? for help.
Loading installable 'flake:nixpkgs#legacyPackages.aarch64-darwin'...
Added 24154 variables.
nix-repl> :b fetchgit { url = "https://github.com/n8henrie/flake-templates"; hash = "sha256-nkwrC+gtQ1AgD0LOmnweBs25aIErWWiv8qckplrofvk=";}
error: builder for '/nix/store/i80ansib9qpy96ydqvxx1h8vvcmfv4h0-flake-templates.drv' failed with exit code 1;
       last 7 log lines:
       > exporting https://github.com/n8henrie/flake-templates (rev HEAD) into /nix/store/ycbh64cs7finbl4z8ig7wqm1k0iydbrr-flake-templates
       > Initialized empty Git repository in /nix/store/ycbh64cs7finbl4z8ig7wqm1k0iydbrr-flake-templates/.git/
       > fatal: unable to access 'https://github.com/n8henrie/flake-templates/': SSL certificate problem: unable to get local issuer certificate
       > fatal: unable to access 'https://github.com/n8henrie/flake-templates/': SSL certificate problem: unable to get local issuer certificate
       > fatal: unable to access 'https://github.com/n8henrie/flake-templates/': SSL certificate problem: unable to get local issuer certificate
       > fatal: unable to access 'https://github.com/n8henrie/flake-templates/': SSL certificate problem: unable to get local issuer certificate
       > Unable to checkout HEAD from https://github.com/n8henrie/flake-templates.
       For full logs, run 'nix log /nix/store/i80ansib9qpy96ydqvxx1h8vvcmfv4h0-flake-templates.drv'.
error: build of '/nix/store/i9qaqh66iydxzr0sqqpkz6wvqfs63xdw-flake-templates.drv' failed
[0 built (4 failed), 0.0 MiB DL]

• system: "aarch64-darwin"
• host os: Darwin 24.3.0, macOS 15.3.2
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.24.12
• channels(root): "nixpkgs"
• nixpkgs: /nix/store/6pz76h4dyj2s9il8pbrxi1knkmbs0z9a-source

[khaneliman]

@WeetHet created https://gerrit.lix.systems/c/lix/+/2869 in lix that sounds like it should resolve the issue.