devel/arcanist-lib: Use Mozilla root CA bundle

This fixes problems with Let's Encrypt certificates after
the R3 Let's Encrypt intermediate CA expired.

Arcanist uses its own certificate bundle by default (default.pem),
overriding curl's default, unless curl.cainfo is set explicitly.

The port now replaces this custom bundle with a symlink to Mozilla's
root CA bundle as installed by security/ca_root_nss.

PR: 258824
Reported by: yasu

1 files changed, 5 insertions, 0 deletions

diff --git a/devel/arcanist-lib/Makefile b/devel/arcanist-lib/Makefile
index b73e2d8f8a7d..7344c35a2d3d 100644
--- a/devel/arcanist-lib/Makefile
+++ b/devel/arcanist-lib/Makefile
@@ -1,5 +1,6 @@
 PORTNAME?=	arcanist
 PORTVERSION?=	20210113
+PORTREVISION?=  1
 CATEGORIES?=	devel
 PKGNAMESUFFIX=	${SLAVE_PKGNAMESUFFIX}${PHP_PKGNAMESUFFIX}
 
@@ -36,6 +37,8 @@ PLIST=		${.CURDIR}/pkg-plist
 .if ${SLAVEPORT} == lib
 SLAVE_PKGNAMESUFFIX=	-${SLAVEPORT}
 
+RUN_DEPENDS=	ca_root_nss>0:security/ca_root_nss
+
 OPTIONS_DEFINE=	ENCODINGS
 OPTIONS_DEFAULT=ENCODINGS
 ENCODINGS_DESC=	Support for encodings other than utf-8
@@ -78,6 +81,8 @@ do-install:
 	@${REINPLACE_CMD} \
 		's|%%PYTHON_CMD%%|${PYTHON_CMD}|g' \
 		${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/src/workflow/ArcanistAnoidWorkflow.php
+	${LN} -sf ${LOCALBASE}/share/certs/ca-root-nss.crt \
+		${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/resources/ssl/default.pem
 	${RLN} ${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/support/shell/hooks/bash-completion.sh \
 		 ${STAGEDIR}${PREFIX}/share/bash-completion/completions/arc
 	${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/bin/arc shell-complete --generate