Build 69: fetch nym from our own mirror, not upstream GitHub
Point .github/actions/fetch-nym at git.us-ea.st/GRIN/nym (branch goblin = upstream nymtech/nym @ b6eb391 + our Android webpki-roots patch) and clone it directly. Drops both the upstream-GitHub fetch and the git-apply patch step — the last third-party dependency in the build chain is now self-hosted. Removes the now-unused ci/nym-webpki-android.patch.
This commit is contained in:
@@ -1,31 +1,23 @@
|
||||
name: Fetch patched nym SDK
|
||||
description: >
|
||||
Materialize the nym workspace at ../nym (sibling of the goblin checkout) so the
|
||||
`nym-sdk = { path = "../nym/sdk/rust/nym-sdk" }` dependency resolves. We pin the
|
||||
exact upstream commit Goblin was built against and apply Goblin's small
|
||||
Android webpki-roots patch on top — no separate nym fork to maintain.
|
||||
Clone the patched nym workspace from our own mirror
|
||||
(git.us-ea.st/GRIN/nym, branch `goblin` = upstream nymtech/nym @ b6eb391 +
|
||||
Goblin's Android webpki-roots patch) into ../nym, so the
|
||||
`nym-sdk = { path = "../nym/sdk/rust/nym-sdk" }` dependency resolves.
|
||||
Self-hosted: no upstream-GitHub fetch and no patch-apply step.
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- name: Clone + patch nym
|
||||
- name: Clone patched nym
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
# Upstream nymtech/nym commit Goblin's Cargo.lock was generated against.
|
||||
NYM_SHA=b6eb391e85be7eb8fca62def6d1ac32fd1108c30
|
||||
DEST="$(dirname "$GITHUB_WORKSPACE")/nym"
|
||||
if [ -e "$DEST/sdk/rust/nym-sdk/Cargo.toml" ]; then
|
||||
echo "nym already present at $DEST"
|
||||
exit 0
|
||||
fi
|
||||
rm -rf "$DEST"
|
||||
mkdir -p "$DEST"
|
||||
cd "$DEST"
|
||||
git init -q
|
||||
git remote add origin https://github.com/nymtech/nym.git
|
||||
# Fetch just the pinned commit (GitHub allows reachable-SHA fetches).
|
||||
git fetch -q --depth 1 origin "$NYM_SHA"
|
||||
git checkout -q FETCH_HEAD
|
||||
git apply --whitespace=nowarn "$GITHUB_WORKSPACE/ci/nym-webpki-android.patch"
|
||||
echo "nym materialized at $DEST ($NYM_SHA + Goblin webpki patch)"
|
||||
git clone --branch goblin --depth 1 https://git.us-ea.st/GRIN/nym.git "$DEST"
|
||||
echo "nym cloned from GRIN/nym@goblin -> $DEST"
|
||||
|
||||
@@ -1,82 +0,0 @@
|
||||
From f6ed17d949cc19fee0fb51db3cb65771fd510d5b Mon Sep 17 00:00:00 2001
|
||||
From: 2ro <17595647+2ro@users.noreply.github.com>
|
||||
Date: Sat, 13 Jun 2026 19:57:24 -0400
|
||||
Subject: [PATCH] http-api-client: preconfigured webpki roots on Android
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The default rustls platform verifier needs the app JNI context, which a
|
||||
standalone client process (Goblin's bundled SOCKS5 sidecar) lacks — it panics
|
||||
on the first nym-api HTTPS call. Pin webpki_roots::TLS_SERVER_ROOTS on Android
|
||||
per Nym's own troubleshooting docs.
|
||||
---
|
||||
Cargo.lock | 1 +
|
||||
common/http-api-client/Cargo.toml | 5 ++++-
|
||||
common/http-api-client/src/registry.rs | 22 ++++++++++++++++++++++
|
||||
3 files changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Cargo.lock b/Cargo.lock
|
||||
index ba1fb92..cdeddfc 100644
|
||||
--- a/Cargo.lock
|
||||
+++ b/Cargo.lock
|
||||
@@ -7020,6 +7020,7 @@ dependencies = [
|
||||
"tracing-subscriber",
|
||||
"url",
|
||||
"wasmtimer",
|
||||
+ "webpki-roots 0.26.11",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
diff --git a/common/http-api-client/Cargo.toml b/common/http-api-client/Cargo.toml
|
||||
index 6c28d77..3f577c5 100644
|
||||
--- a/common/http-api-client/Cargo.toml
|
||||
+++ b/common/http-api-client/Cargo.toml
|
||||
@@ -38,7 +38,10 @@ itertools = { workspace = true }
|
||||
inventory = { workspace = true }
|
||||
fastrand = { workspace = true }
|
||||
tokio = { workspace = true, features = ["rt", "macros", "time"] }
|
||||
-rustls = { workspace=true }
|
||||
+rustls = { workspace = true, features = ["aws_lc_rs"] }
|
||||
+# Android: preconfigured webpki roots replace the JNI-bound platform verifier
|
||||
+# (see registry.rs); a standalone sidecar process can't init the platform store.
|
||||
+webpki-roots = { workspace = true }
|
||||
# used for decoding text responses (they were already implicitly included)
|
||||
bytes = { workspace = true }
|
||||
encoding_rs = { workspace = true }
|
||||
diff --git a/common/http-api-client/src/registry.rs b/common/http-api-client/src/registry.rs
|
||||
index 4e09570..03cb945 100644
|
||||
--- a/common/http-api-client/src/registry.rs
|
||||
+++ b/common/http-api-client/src/registry.rs
|
||||
@@ -66,6 +66,28 @@ pub fn default_builder() -> ReqwestClientBuilder {
|
||||
}
|
||||
}
|
||||
|
||||
+ // On Android the default rustls verifier (rustls-platform-verifier) reaches
|
||||
+ // the system trust store through JNI and must be initialized with the app's
|
||||
+ // Java context. A standalone client process (e.g. Goblin's bundled SOCKS5
|
||||
+ // sidecar) has no such context, so the verifier panics
|
||||
+ // ("Expect rustls-platform-verifier to be initialized") the moment it makes
|
||||
+ // its first HTTPS call to the nym-api. Per Nym's own troubleshooting docs,
|
||||
+ // pin preconfigured webpki roots instead so HTTPS verifies without the
|
||||
+ // platform store. Desktop/Windows keep the default verifier.
|
||||
+ #[cfg(target_os = "android")]
|
||||
+ {
|
||||
+ let mut roots = rustls::RootCertStore::empty();
|
||||
+ roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
|
||||
+ let tls = rustls::ClientConfig::builder_with_provider(std::sync::Arc::new(
|
||||
+ rustls::crypto::aws_lc_rs::default_provider(),
|
||||
+ ))
|
||||
+ .with_safe_default_protocol_versions()
|
||||
+ .expect("aws-lc-rs provides the safe default protocol versions")
|
||||
+ .with_root_certificates(roots)
|
||||
+ .with_no_client_auth();
|
||||
+ b = b.use_preconfigured_tls(tls);
|
||||
+ }
|
||||
+
|
||||
b
|
||||
}
|
||||
|
||||
--
|
||||
2.54.0
|
||||
|
||||
Reference in New Issue
Block a user