{"id":50893974,"url":"https://github.com/pmarreck/nimble-darwin-ssl-fix","last_synced_at":"2026-06-15T23:01:22.095Z","repository":{"id":362600738,"uuid":"1259937696","full_name":"pmarreck/nimble-darwin-ssl-fix","owner":"pmarreck","description":"nimble for Nix/macOS with working TLS — fixes the openssl dlopen/segfault on nimble refresh/install","archived":false,"fork":false,"pushed_at":"2026-06-05T02:30:00.000Z","size":4,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"yolo","last_synced_at":"2026-06-05T04:12:21.828Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pmarreck.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-05T02:21:34.000Z","updated_at":"2026-06-05T02:30:04.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/pmarreck/nimble-darwin-ssl-fix","commit_stats":null,"previous_names":["pmarreck/nimble-darwin-ssl-fix"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/pmarreck/nimble-darwin-ssl-fix","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmarreck%2Fnimble-darwin-ssl-fix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmarreck%2Fnimble-darwin-ssl-fix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmarreck%2Fnimble-darwin-ssl-fix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmarreck%2Fnimble-darwin-ssl-fix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pmarreck","download_url":"https://codeload.github.com/pmarreck/nimble-darwin-ssl-fix/tar.gz/refs/heads/yolo","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pmarreck%2Fnimble-darwin-ssl-fix/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34383468,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-15T02:00:07.085Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-15T23:01:21.172Z","updated_at":"2026-06-15T23:01:22.068Z","avatar_url":"https://github.com/pmarreck.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# nimble-darwin-ssl-fix\n\nA Nix flake that ships a **`nimble` whose TLS actually works on Nix/macOS**.\n\nOn nixpkgs/darwin, stock `nimble refresh` (and any `nimble install` that hits the\nnetwork) dies with:\n\n```\nDownloading Official package list\nSIGSEGV: Illegal storage access. (Attempt to read from nil?)\n```\n\nThis flake fixes it. `nimble refresh` works in a completely pristine environment —\nno `DYLD_*`, no `SSL_CERT_FILE`, no `--noSSLCheck`.\n\n## Use it\n\n```bash\n# one-off\nnix run github:pmarreck/nimble-darwin-ssl-fix -- refresh\n\n# in a devShell (flake)\n{\n  inputs.nimble-fix.url = \"github:pmarreck/nimble-darwin-ssl-fix\";\n  # ...\n  devShells.default = pkgs.mkShell {\n    buildInputs = [ pkgs.nim inputs.nimble-fix.packages.${system}.nimble ];\n  };\n}\n\n# or as an overlay\nnixpkgs.overlays = [ inputs.nimble-fix.overlays.default ];  # replaces pkgs.nimble\n```\n\n## What was actually wrong\n\nThis is **not** a missing nil-check (Nim's `std/openssl` already raises\n`LibraryError` on a failed symbol load), and Nim's SSL itself is fine — a fresh\n`nim c -d:ssl` HTTPS program downloads the very same `packages.json` with no env\nhacks. The bug is specific to how **nimble** is built and how Nim binds OpenSSL on\nnixpkgs:\n\n`lib/wrappers/openssl.nim` binds OpenSSL two ways at once:\n\n1. **Bulk procs** (`SSL_CTX_new`, `SSL_connect`, `SSL_read`, …) — nixpkgs patches\n   these (ehmry, 2023, *\"Do not load openssl with dlopen\"*) to **link** against\n   nixpkgs' OpenSSL at build time.\n2. **Compat procs** (`TLS_method`, `getOpenSSLVersion`, …) — still resolved at\n   **runtime** via `dlopen` of a **bare** library name\n   (`\"libssl(.3|.1.1|…).dylib\"`).\n\nTwo failures compound on darwin:\n\n- The stock nixpkgs `nimble` is built **without `--define:ssl`**, so it isn't even\n  link-bound to nix's OpenSSL. (`otool -L` on the shipped binary shows no libssl.)\n- Even after adding `-d:ssl`, the compat procs' bare-name `dlopen` does **not**\n  resolve to the link-bound nix OpenSSL on macOS. The runtime probe lands on a\n  *different* (or no) libssl, and mixing two OpenSSL builds crashes inside\n  `SSL_CTX_new` — exactly the *\"two different openSSL loaded version causes a\n  crash\"* scenario `openssl.nim`'s own header comment warns about.\n\nCrash path (from a stacktrace build):\n\n```\npackageinfo.nim(151)  fetchList\ntools.nim(224)        newSSLContext\nnet.nim(670)          newContext      \u003c- TLS_method()/SSL_CTX_new, mixed openssl\nSIGSEGV\n```\n\nIt works on Linux (and goes unnoticed by maintainers) because there the\nlink-bound OpenSSL is on the loader path, so the leftover runtime probe resolves\nto the *same* library. macOS + Nix + Nim is the unlucky cell.\n\n## The fix (three parts, all empirically required)\n\n1. **`--define:ssl`** — link-bind the bulk procs to nixpkgs OpenSSL.\n2. **`DYLD_FALLBACK_LIBRARY_PATH` → nix openssl `/lib`** — so the compat layer's\n   runtime `dlopen` probe resolves to the **same** OpenSSL. No mismatch, no crash.\n3. **`SSL_CERT_FILE` → cacert bundle** — so certificate verification passes.\n\n(2) and (3) are baked into the binary via `wrapProgram`, so users set nothing.\nSee `flake.nix` for the exact derivation.\n\n## Verified\n\n```\n$ env -i HOME=/tmp/x PATH=/usr/bin:/bin  result/bin/nimble refresh\nDownloading Official package list\n    Success Package list downloaded.\n```\n\n(`env -i` = empty environment; nothing inherited.)\n\n---\n\n## Ready-to-file nixpkgs issue\n\n\u003e **Title:** `nimble` segfaults on `nimble refresh` on aarch64-darwin (no `-d:ssl`\n\u003e + bare-name openssl `dlopen` mismatch)\n\u003e\n\u003e **Description:** The shipped `nimble` (`pkgs/by-name/ni/nimble/package.nix`) is\n\u003e built without `--define:ssl`, so its openssl procs are not link-bound to\n\u003e nixpkgs openssl (`otool -L $(which nimble)` shows no libssl). `nimble refresh`\n\u003e SIGSEGVs in `net.newContext` (`tools.nim:224 newSSLContext` → `net.nim:670`).\n\u003e\n\u003e Adding `nimFlags = [ \"--define:ssl\" ]` makes it link libssl, but it **still**\n\u003e segfaults on darwin: Nim's `std/openssl` compat layer (`TLS_method`, etc.)\n\u003e resolves libssl at runtime via a bare-name `dlopen`, which on macOS does not\n\u003e find the link-bound nix openssl, so a *different* openssl is mixed in →\n\u003e crash in `SSL_CTX_new`. A fresh `nim c -d:ssl` HTTPS program works, confirming\n\u003e the issue is nimble's build + the leftover runtime probe, not Nim's SSL.\n\u003e\n\u003e **Fix options:** (a) add `--define:ssl` to the nimble derivation **and** make\n\u003e the openssl compat-probe resolve to the link-bound store path on darwin (patch\n\u003e `DLLSSLName`/`DLLUtilName` to absolute `${openssl}/lib/...` in `nim-unwrapped`),\n\u003e or (b) wrap `nimble` with `DYLD_FALLBACK_LIBRARY_PATH=${openssl}/lib` +\n\u003e `SSL_CERT_FILE`. Note: the `--dynlibOverride:ssl` static route is currently\n\u003e broken in the patched nim (`Error: invalid pragma: gimportc`).\n\n## Sources\n\n- [NixOS/nixpkgs#150982 — nimble \"Illegal storage access\" downloading packages.json](https://github.com/NixOS/nixpkgs/issues/150982)\n- [NixOS/nixpkgs#201456 — nimble refresh invalid certificates (openssl 3.x)](https://github.com/NixOS/nixpkgs/issues/201456)\n- [Nimble troubleshooting — DYLD_LIBRARY_PATH / -d:ssl](https://nim-lang.github.io/nimble/troubleshooting.html)\n- nixpkgs commit *\"Do not load openssl with dlopen\"* (ehmry, 2023) — `pkgs/by-name/ni/nim-unwrapped-2_2/openssl.patch`\n\n## License\n\nMIT (or match upstream nimble's BSD-3 — it's just a build wrapper).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmarreck%2Fnimble-darwin-ssl-fix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpmarreck%2Fnimble-darwin-ssl-fix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpmarreck%2Fnimble-darwin-ssl-fix/lists"}