!lheuhImcToQZYTQTuI:nixos.org

Nix on macOS

1163 Members
“There are still many issues with the Darwin platform but most of it is quite usable.” — http://yves.gnu-darwin.org188 Servers

Load older messages

SenderMessageTime
18 Nov 2025
@kegi:tchncs.dekegiInstalling direnv via brew works, so I'll just roll with that for now 🤷13:49:08
@weethet:catgirl.cloudWeetHet 
2025-11-18 16:16:41.419664+0200  localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) mach-lookup com.apple.SecurityServer
2025-11-18 16:16:41.419696+0200  localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-metadata /System/Cryptexes/App
2025-11-18 16:16:41.419700+0200  localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-metadata /System/Cryptexes/OS
2025-11-18 16:16:41.419713+0200  localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-data /System/Library/Preferences/Logging/Subsystems/com.apple.securityd.plist
2025-11-18 16:16:41.420177+0200  localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-metadata /System/Cryptexes/App
2025-11-18 16:16:41.420180+0200  localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-metadata /System/Cryptexes/OS
14:19:42
@weethet:catgirl.cloudWeetHet

Results in

❯ nix-build -A packages.frontend --log-format multiline-with-logs --no-out-link
these 2 derivations will be built:
  /nix/store/0z2nw4yb6q8s0736d8p34zlk97w9dpxa-offline.drv
  /nix/store/s0470ndcvvsk03i29lyafqha50mn90y2-frontend-assets-0-unstable.drv
building '/nix/store/0z2nw4yb6q8s0736d8p34zlk97w9dpxa-offline.drv'...
offline> Running phase: unpackPhase
offline> unpacking source archive /nix/store/j1a84bfb29qqg8j9n6b02gbfci875yi3-source
offline> source root is source
offline> Running phase: patchPhase
offline> Running phase: updateAutotoolsGnuConfigScriptsPhase
offline> Running phase: configurePhase
offline> no configure script, doing nothing
offline> Running phase: buildPhase
offline> CacheKey { version: 10, compression: Some(0) }
offline> Fetching https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/plugin-transform-react-jsx/-/plugin-transform-react-jsx-7.27.1.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/flat/-/flat-5.0.2.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.13.2.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/generator/-/generator-7.28.5.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.27.1.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@rescui/typography/-/typography-0.20.0.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.5.tgz failed (try 1/5): bad certificate format
14:21:36
@weethet:catgirl.cloudWeetHet Randy Eckenrode, I think they are trying to use native macOS certificates and failing because we don't have enough of an access 14:22:18
@weethet:catgirl.cloudWeetHetNot sure though14:22:21
@weethet:catgirl.cloudWeetHet Yep, oxhttp = { version = "0.3.0", default-features = false, features = ["client", "native-tls"] } 14:23:06
@weethet:catgirl.cloudWeetHet

This patch helps

diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,11 @@ R""(
 (allow mach-lookup (global-name "com.apple.trustd"))
 (allow mach-lookup (global-name "com.apple.trustd.agent"))
 
+; Allow native TLS
+(allow file-read-metadata
+       (literal "/System/Cryptexes/OS")
+       (literal "/System/Cryptexes/App"))
+(allow file-read-data (literal "/System/Library/Preferences/Logging/Subsystems/com.apple.securityd.plist"))
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
 )""
14:52:04
@raitobezarius:matrix.orgraitobezariusi was worried there we merged something bad14:53:40
@weethet:catgirl.cloudWeetHetLet's see if I can make it smaller14:53:02
@raitobezarius:matrix.orgraitobezariusi don't care that c-ares is disabled again14:53:46
@raitobezarius:matrix.orgraitobezariusbut it's good that c-ares is enabled14:53:49
@raitobezarius:matrix.orgraitobezariusglibc resolver is turbo bad14:53:59
@weethet:catgirl.cloudWeetHetI should go through nixpkgs -> rust full bootstrap and see what doesn't build with full sandbox14:56:51
@weethet:catgirl.cloudWeetHetI'm gonna do it on Christmas probably since I won't have my uni to worry about14:57:33
@weethet:catgirl.cloudWeetHetFor now I'll collect patches to submit them at once14:58:04
@weethet:catgirl.cloudWeetHet

Okay this is enough:

diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,7 @@ R""(
 (allow mach-lookup (global-name "com.apple.trustd"))
 (allow mach-lookup (global-name "com.apple.trustd.agent"))
 
+; Allow native TLS
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
 )""
15:04:06
@weethet:catgirl.cloudWeetHet *

Okay this is enough:

diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,7 @@ R""(
 (allow mach-lookup (global-name "com.apple.trustd"))
 (allow mach-lookup (global-name "com.apple.trustd.agent"))
 
+; Allow native TLS
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
 )""
15:04:11
@reckenrode:matrix.orgRandy EckenrodeWe should not be introducing default impurities.15:10:06
@reckenrode:matrix.orgRandy EckenrodeI wish we could block that stuff even when sandboxing is disabled. 😕15:10:58
@reckenrode:matrix.orgRandy EckenrodeBut also, we need to define what the actual purpose of the sandbox is supposed to be.15:12:29
@reckenrode:matrix.orgRandy EckenrodeIs this a MitM issue? What does NixOS do?15:13:02
@reckenrode:matrix.orgRandy Eckenrode * 15:13:13
@reckenrode:matrix.orgRandy EckenrodeOr nixpkgs on other Linux.15:13:26
@weethet:catgirl.cloudWeetHetIs native TLS an impurity?15:50:17
@weethet:catgirl.cloudWeetHetNixOS only has openssl certs but macOS has system certs as well15:50:50
@weethet:catgirl.cloudWeetHet I don't know if not having access to com.apple.SecurityServer is a purity issue 15:51:27
@k900:0upti.meK900FWIW on Linux Nix will copy system certs to the sandbox15:51:27
@weethet:catgirl.cloudWeetHetThis issue occurs because the package tries to use certs from the Keychain15:52:07
@weethet:catgirl.cloudWeetHetYou can't copy it15:52:17
@weethet:catgirl.cloudWeetHetAnd I think that not having access to it is a bug15:52:30

Show newer messages

Back to Room ListRoom Version: 6