mirror of
https://code.gri.mw/GUI/grim.git
synced 2026-07-13 02:08:54 +00:00
bb3b8c4ecc
Pay: stop reddening the amount while typing — requesting more than you hold is a valid request, so the digits stay black. Pressing Pay without enough funds now shakes and briefly flashes the amount red and buzzes the phone, then settles back. Bigger scan-to-pay puck. Settings: the username "@" moves inside the field as the "@yourname" placeholder (a leading "@" the user types is stripped). Mixnet routing is shortened to "All traffic" and flagged in the privacy color. The Build row links to GitHub releases. Network reads "MW + Nym mixnet + nostr". The Nym third-party row shows the linked SDK version instead of "socks5". Wallet: expose GRIM's native by-hand slatepack flow as an advanced "Slatepacks" page — paste to receive/pay/finalize, or create a payment slatepack to hand over. The fallback for when a payment can't ride a @username. CI: fix the red GitHub builds. nym-sdk is a path dep on ../nym, which the runners didn't have. A composite action materializes the pinned upstream nym commit plus Goblin's small Android webpki patch before each build; aws-lc-sys uses prebuilt NASM on native Windows. Builds: strip release binaries, dropping ~17 MB of debug symbols from the desktop build.
83 lines
3.3 KiB
Diff
83 lines
3.3 KiB
Diff
From f6ed17d949cc19fee0fb51db3cb65771fd510d5b Mon Sep 17 00:00:00 2001
|
|
From: 2ro <17595647+2ro@users.noreply.github.com>
|
|
Date: Sat, 13 Jun 2026 19:57:24 -0400
|
|
Subject: [PATCH] http-api-client: preconfigured webpki roots on Android
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The default rustls platform verifier needs the app JNI context, which a
|
|
standalone client process (Goblin's bundled SOCKS5 sidecar) lacks — it panics
|
|
on the first nym-api HTTPS call. Pin webpki_roots::TLS_SERVER_ROOTS on Android
|
|
per Nym's own troubleshooting docs.
|
|
---
|
|
Cargo.lock | 1 +
|
|
common/http-api-client/Cargo.toml | 5 ++++-
|
|
common/http-api-client/src/registry.rs | 22 ++++++++++++++++++++++
|
|
3 files changed, 27 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/Cargo.lock b/Cargo.lock
|
|
index ba1fb92..cdeddfc 100644
|
|
--- a/Cargo.lock
|
|
+++ b/Cargo.lock
|
|
@@ -7020,6 +7020,7 @@ dependencies = [
|
|
"tracing-subscriber",
|
|
"url",
|
|
"wasmtimer",
|
|
+ "webpki-roots 0.26.11",
|
|
]
|
|
|
|
[[package]]
|
|
diff --git a/common/http-api-client/Cargo.toml b/common/http-api-client/Cargo.toml
|
|
index 6c28d77..3f577c5 100644
|
|
--- a/common/http-api-client/Cargo.toml
|
|
+++ b/common/http-api-client/Cargo.toml
|
|
@@ -38,7 +38,10 @@ itertools = { workspace = true }
|
|
inventory = { workspace = true }
|
|
fastrand = { workspace = true }
|
|
tokio = { workspace = true, features = ["rt", "macros", "time"] }
|
|
-rustls = { workspace=true }
|
|
+rustls = { workspace = true, features = ["aws_lc_rs"] }
|
|
+# Android: preconfigured webpki roots replace the JNI-bound platform verifier
|
|
+# (see registry.rs); a standalone sidecar process can't init the platform store.
|
|
+webpki-roots = { workspace = true }
|
|
# used for decoding text responses (they were already implicitly included)
|
|
bytes = { workspace = true }
|
|
encoding_rs = { workspace = true }
|
|
diff --git a/common/http-api-client/src/registry.rs b/common/http-api-client/src/registry.rs
|
|
index 4e09570..03cb945 100644
|
|
--- a/common/http-api-client/src/registry.rs
|
|
+++ b/common/http-api-client/src/registry.rs
|
|
@@ -66,6 +66,28 @@ pub fn default_builder() -> ReqwestClientBuilder {
|
|
}
|
|
}
|
|
|
|
+ // On Android the default rustls verifier (rustls-platform-verifier) reaches
|
|
+ // the system trust store through JNI and must be initialized with the app's
|
|
+ // Java context. A standalone client process (e.g. Goblin's bundled SOCKS5
|
|
+ // sidecar) has no such context, so the verifier panics
|
|
+ // ("Expect rustls-platform-verifier to be initialized") the moment it makes
|
|
+ // its first HTTPS call to the nym-api. Per Nym's own troubleshooting docs,
|
|
+ // pin preconfigured webpki roots instead so HTTPS verifies without the
|
|
+ // platform store. Desktop/Windows keep the default verifier.
|
|
+ #[cfg(target_os = "android")]
|
|
+ {
|
|
+ let mut roots = rustls::RootCertStore::empty();
|
|
+ roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
|
|
+ let tls = rustls::ClientConfig::builder_with_provider(std::sync::Arc::new(
|
|
+ rustls::crypto::aws_lc_rs::default_provider(),
|
|
+ ))
|
|
+ .with_safe_default_protocol_versions()
|
|
+ .expect("aws-lc-rs provides the safe default protocol versions")
|
|
+ .with_root_certificates(roots)
|
|
+ .with_no_client_auth();
|
|
+ b = b.use_preconfigured_tls(tls);
|
|
+ }
|
|
+
|
|
b
|
|
}
|
|
|
|
--
|
|
2.54.0
|
|
|