1
0
forked from GRIN/grim

Build 69: fetch nym from our own mirror, not upstream GitHub

Point .github/actions/fetch-nym at git.us-ea.st/GRIN/nym (branch goblin =
upstream nymtech/nym @ b6eb391 + our Android webpki-roots patch) and clone it
directly. Drops both the upstream-GitHub fetch and the git-apply patch step —
the last third-party dependency in the build chain is now self-hosted. Removes
the now-unused ci/nym-webpki-android.patch.
This commit is contained in:
2ro
2026-06-14 12:32:56 -04:00
parent 56099539aa
commit 5445b48a69
2 changed files with 8 additions and 98 deletions
+8 -16
View File
@@ -1,31 +1,23 @@
name: Fetch patched nym SDK
description: >
Materialize the nym workspace at ../nym (sibling of the goblin checkout) so the
`nym-sdk = { path = "../nym/sdk/rust/nym-sdk" }` dependency resolves. We pin the
exact upstream commit Goblin was built against and apply Goblin's small
Android webpki-roots patch on top — no separate nym fork to maintain.
Clone the patched nym workspace from our own mirror
(git.us-ea.st/GRIN/nym, branch `goblin` = upstream nymtech/nym @ b6eb391 +
Goblin's Android webpki-roots patch) into ../nym, so the
`nym-sdk = { path = "../nym/sdk/rust/nym-sdk" }` dependency resolves.
Self-hosted: no upstream-GitHub fetch and no patch-apply step.
runs:
using: composite
steps:
- name: Clone + patch nym
- name: Clone patched nym
shell: bash
run: |
set -euo pipefail
# Upstream nymtech/nym commit Goblin's Cargo.lock was generated against.
NYM_SHA=b6eb391e85be7eb8fca62def6d1ac32fd1108c30
DEST="$(dirname "$GITHUB_WORKSPACE")/nym"
if [ -e "$DEST/sdk/rust/nym-sdk/Cargo.toml" ]; then
echo "nym already present at $DEST"
exit 0
fi
rm -rf "$DEST"
mkdir -p "$DEST"
cd "$DEST"
git init -q
git remote add origin https://github.com/nymtech/nym.git
# Fetch just the pinned commit (GitHub allows reachable-SHA fetches).
git fetch -q --depth 1 origin "$NYM_SHA"
git checkout -q FETCH_HEAD
git apply --whitespace=nowarn "$GITHUB_WORKSPACE/ci/nym-webpki-android.patch"
echo "nym materialized at $DEST ($NYM_SHA + Goblin webpki patch)"
git clone --branch goblin --depth 1 https://git.us-ea.st/GRIN/nym.git "$DEST"
echo "nym cloned from GRIN/nym@goblin -> $DEST"
-82
View File
@@ -1,82 +0,0 @@
From f6ed17d949cc19fee0fb51db3cb65771fd510d5b Mon Sep 17 00:00:00 2001
From: 2ro <17595647+2ro@users.noreply.github.com>
Date: Sat, 13 Jun 2026 19:57:24 -0400
Subject: [PATCH] http-api-client: preconfigured webpki roots on Android
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The default rustls platform verifier needs the app JNI context, which a
standalone client process (Goblin's bundled SOCKS5 sidecar) lacks — it panics
on the first nym-api HTTPS call. Pin webpki_roots::TLS_SERVER_ROOTS on Android
per Nym's own troubleshooting docs.
---
Cargo.lock | 1 +
common/http-api-client/Cargo.toml | 5 ++++-
common/http-api-client/src/registry.rs | 22 ++++++++++++++++++++++
3 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/Cargo.lock b/Cargo.lock
index ba1fb92..cdeddfc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -7020,6 +7020,7 @@ dependencies = [
"tracing-subscriber",
"url",
"wasmtimer",
+ "webpki-roots 0.26.11",
]
[[package]]
diff --git a/common/http-api-client/Cargo.toml b/common/http-api-client/Cargo.toml
index 6c28d77..3f577c5 100644
--- a/common/http-api-client/Cargo.toml
+++ b/common/http-api-client/Cargo.toml
@@ -38,7 +38,10 @@ itertools = { workspace = true }
inventory = { workspace = true }
fastrand = { workspace = true }
tokio = { workspace = true, features = ["rt", "macros", "time"] }
-rustls = { workspace=true }
+rustls = { workspace = true, features = ["aws_lc_rs"] }
+# Android: preconfigured webpki roots replace the JNI-bound platform verifier
+# (see registry.rs); a standalone sidecar process can't init the platform store.
+webpki-roots = { workspace = true }
# used for decoding text responses (they were already implicitly included)
bytes = { workspace = true }
encoding_rs = { workspace = true }
diff --git a/common/http-api-client/src/registry.rs b/common/http-api-client/src/registry.rs
index 4e09570..03cb945 100644
--- a/common/http-api-client/src/registry.rs
+++ b/common/http-api-client/src/registry.rs
@@ -66,6 +66,28 @@ pub fn default_builder() -> ReqwestClientBuilder {
}
}
+ // On Android the default rustls verifier (rustls-platform-verifier) reaches
+ // the system trust store through JNI and must be initialized with the app's
+ // Java context. A standalone client process (e.g. Goblin's bundled SOCKS5
+ // sidecar) has no such context, so the verifier panics
+ // ("Expect rustls-platform-verifier to be initialized") the moment it makes
+ // its first HTTPS call to the nym-api. Per Nym's own troubleshooting docs,
+ // pin preconfigured webpki roots instead so HTTPS verifies without the
+ // platform store. Desktop/Windows keep the default verifier.
+ #[cfg(target_os = "android")]
+ {
+ let mut roots = rustls::RootCertStore::empty();
+ roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+ let tls = rustls::ClientConfig::builder_with_provider(std::sync::Arc::new(
+ rustls::crypto::aws_lc_rs::default_provider(),
+ ))
+ .with_safe_default_protocol_versions()
+ .expect("aws-lc-rs provides the safe default protocol versions")
+ .with_root_certificates(roots)
+ .with_no_client_auth();
+ b = b.use_preconfigured_tls(tls);
+ }
+
b
}
--
2.54.0