@WilliButz, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @bjornfor and @rickynils to be potential reviewers.

Just FYI, I don't think we verify certificates on any of our fetches. Your change won't hurt anything, but I wanted to make sure you understood the implications. The main argument is that we already check the hash we download so are less paranoid about malicious remotes.

The bigger potential concern is eavesdropping/MITM, which the Nix community has largely ignored/discounted so far. Not checking certificates could allow someone to watch what you're downloading, but it seems a bit less concerning in this sort of case, when the IP you hit strongly suggests what you're doing on it.

Does nix-prefetch-url verify certificates? That would be necessary for bootstrapping the hash.

https would be still useful for nix-prefetch-url -A spotify.src in this case.

@copumpkin @Mic92 seems like nix-prefetch-url does indeed verify certificates:

for example trying to get the hash of the index.html of the following domains gives a corresponding certificate related error:

nix-prefetch-url https://untrusted-root.badssl.com/index.html downloading ‘https://untrusted-root.badssl.com/index.html’... [0/0 KiB, 0.0 KiB/s] error: unable to download ‘https://untrusted-root.badssl.com/index.html’: Peer certificate cannot be authenticated with given CA certificates (60)

nix-prefetch-url https://self-signed.badssl.com/index.html downloading ‘https://self-signed.badssl.com/index.html’... [0/0 KiB, 0.0 KiB/s] error: unable to download ‘https://self-signed.badssl.com/index.html’: Peer certificate cannot be authenticated with given CA certificates (60)