25 stdenv.mkDerivation rec {
26 pname = "curl-impersonate-ff";
34 src = fetchFromGitHub {
36 repo = "curl-impersonate";
38 hash = "sha256-ExmEhjJC8FPzx08RuKOhRxKgJ4Dh+ElEl+OUHzRCzZc=";
42 # Fix shebangs and commands in the NSS build scripts
43 # (can't just patchShebangs or substituteInPlace since makefile unpacks it)
44 ./curl-impersonate-0.6.1-fix-command-paths.patch
46 # SOCKS5 heap buffer overflow - https://curl.se/docs/CVE-2023-38545.html
48 name = "curl-impersonate-patch-cve-2023-38545.patch";
49 url = "https://github.com/lwthiker/curl-impersonate/commit/e7b90a0d9c61b6954aca27d346750240e8b6644e.diff";
50 hash = "sha256-jFrz4Q+MJGfNmwwzHhThado4c9hTd/+b/bfRsr3FW5k=";
54 # Disable blanket -Werror to fix build on `gcc-13` related to minor
55 # warnings on `boringssl`.
56 env.NIX_CFLAGS_COMPILE = "-Wno-error";
60 depsBuildBuild = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
61 buildPackages.stdenv.cc
65 lib.optionals stdenv.hostPlatform.isDarwin [
66 # Must come first so that it shadows the 'libtool' command but leaves 'libtoolize'
73 python3.pythonOnBuildForHost.pkgs.gyp
90 if stdenv.hostPlatform.isDarwin then "/etc/ssl/cert.pem" else "/etc/ssl/certs/ca-certificates.crt"
92 "--with-ca-path=${cacert}/etc/ssl/certs"
95 buildFlags = [ "firefox-build" ];
96 checkTarget = "firefox-checkbuild";
97 installTargets = [ "firefox-install" ];
101 dontUseCmakeConfigure = true;
102 dontUseNinjaBuild = true;
103 dontUseNinjaInstall = true;
104 dontUseNinjaCheck = true;
106 postUnpack = lib.concatStringsSep "\n" (
107 lib.mapAttrsToList (name: dep: "ln -sT ${dep.outPath} source/${name}") (
108 lib.filterAttrs (n: v: v ? outPath) passthru.deps
113 export GOCACHE=$TMPDIR/go-cache
114 export GOPATH=$TMPDIR/go
115 export GOPROXY=file://${passthru.boringssl-go-modules}
118 # Need to get value of $out for this flag
119 configureFlagsArray+=("--with-libnssckbi=$out/lib")
124 # Remove vestigial *-config script
125 rm $out/bin/curl-impersonate-ff-config
127 # Patch all shebangs of installed scripts
128 patchShebangs $out/bin
131 make -C curl-*/include install
133 + lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
134 # Build and install completions for each curl binary
136 # Patch in correct binary name and alias it to all scripts
137 perl curl-*/scripts/completion.pl --curl $out/bin/curl-impersonate-ff --shell zsh >$TMPDIR/curl-impersonate-ff.zsh
138 substituteInPlace $TMPDIR/curl-impersonate-ff.zsh \
141 "#compdef curl-impersonate-ff$(find $out/bin -name 'curl_*' -printf ' %f=curl-impersonate-ff')"
143 perl curl-*/scripts/completion.pl --curl $out/bin/curl-impersonate-ff --shell fish >$TMPDIR/curl-impersonate-ff.fish
144 substituteInPlace $TMPDIR/curl-impersonate-ff.fish \
147 "--command curl-impersonate-ff$(find $out/bin -name 'curl_*' -printf ' --command %f')"
149 # Install zsh and fish completions
150 installShellCompletion $TMPDIR/curl-impersonate-ff.{zsh,fish}
155 libext = stdenv.hostPlatform.extensions.sharedLibrary;
158 # If libnssckbi.so is needed, link libnssckbi.so without needing nss in closure
159 if grep -F nssckbi $out/lib/libcurl-impersonate-*${libext} &>/dev/null; then
160 ln -s ${p11-kit}/lib/pkcs11/p11-kit-trust${libext} $out/lib/libnssckbi${libext}
161 ${lib.optionalString stdenv.hostPlatform.isElf ''
162 patchelf --add-needed libnssckbi${libext} $out/lib/libcurl-impersonate-*${libext}
167 disallowedReferences = [ go ];
170 deps = callPackage ./deps.nix { };
172 updateScript = ./update.sh;
174 boringssl-go-modules =
176 inherit (passthru.deps."boringssl.zip") name;
178 src = passthru.deps."boringssl.zip";
179 vendorHash = "sha256-SNUsBiKOGWmkRdTVABVrlbLAVMfu0Q9IgDe+kFC5vXs=";
181 nativeBuildInputs = [ unzip ];
188 description = "Special build of curl that can impersonate Chrome & Firefox";
189 homepage = "https://github.com/lwthiker/curl-impersonate";
190 license = with licenses; [
194 maintainers = with maintainers; [ deliciouslytyped ];
195 platforms = platforms.unix;
196 mainProgram = "curl-impersonate-ff";