gnu: gnutls: Use p11-kit to provide the default certificates.

This makes it so that GnuTLS always knows to locate the nss-certs without
users having to do anything.  This default behavior can be modified by users
via the p11-kit configuration mechanism, which can be be done per-user.

* gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
* gnu/packages/tls.scm (gnutls) [source]: Remove
'gnutls-skip-trust-store-test.patch' patch.
[#:configure-flags]: Delete "--with-default-trust-store-dir=/etc/ssl/certs".
Add "--with-default-trust-store-pkcs11=pkcs11:".  Update comment.

Fixes: <https://issues.guix.gnu.org/75902>
Fixes: <https://issues.guix.gnu.org/46779>
Change-Id: Ie45bfe8c2884c1ab277b0fba6135a5af3a9b6a3d

3 files changed, 6 insertions, 28 deletions

diff --git a/gnu/local.mk b/gnu/local.mk
index 1b4d3ac37b6..f3c01e0e9c5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1518,7 +1518,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/gnumach-version.patch			\
   %D%/packages/patches/gnupg-default-pinentry.patch		\
   %D%/packages/patches/gnupg-1-build-with-gcc10.patch		\
-  %D%/packages/patches/gnutls-skip-trust-store-test.patch	\
   %D%/packages/patches/gnutls-no-which.patch			\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-absolute-shlib-path-1.72.patch \
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
deleted file mode 100644
index e0536712a59..00000000000
--- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Version 3.5.11 added a test to check that the default trust store is readable.
-It does not exist in the build environment, so pretend everything is fine.
-
-diff a/tests/trust-store.c b/tests/trust-store.c
---- a/tests/trust-store.c
-+++ b/tests/trust-store.c
-@@ -61,7 +61,7 @@
- 	} else if (ret < 0) {
- 		fail("error loading system trust store: %s\n", gnutls_strerror(ret));
- 	} else if (ret == 0) {
--		fail("no certificates were found in system trust store!\n");
-+		success("no trust store in the Guix build environment!\n");
- 	}
- 
- 	gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 6cdbbec9a87..ed942e2df59 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -217,8 +217,7 @@ living in the same process.")
               (uri (string-append "mirror://gnupg/gnutls/v"
                                   (version-major+minor version)
                                   "/gnutls-" version ".tar.xz"))
-              (patches (search-patches "gnutls-no-which.patch"
-                                       "gnutls-skip-trust-store-test.patch"))
+              (patches (search-patches "gnutls-no-which.patch"))
               (sha256
                (base32
                 "1v9090cbajf02cw01idfbp0cgmgjn5091ff1b96hqryi0bc17qb9"))))
@@ -241,16 +240,11 @@ living in the same process.")
               ;; ld.so.cache file.
               "--with-zlib=link"
               "--with-zstd=link"
-              ;; GnuTLS doesn't consult any environment variables to specify
-              ;; the location of the system-wide trust store.  Instead it has a
-              ;; configure-time option.  Unless specified, its configure script
-              ;; attempts to auto-detect the location by looking for common
-              ;; places in the file system, none of which are present in our
-              ;; chroot build environment.  If not found, then no default trust
-              ;; store is used, so each program has to provide its own
-              ;; fallback, and users have to configure each program
-              ;; independently.  This seems suboptimal.
-              "--with-default-trust-store-dir=/etc/ssl/certs")
+              ;; Configure GnuTLS to use the p11-kit trust module by default,
+              ;; which is more flexible and knows to look at locations we've
+              ;; configured it to, on top of allowing users to configure it
+              ;; further.
+              "--with-default-trust-store-pkcs11=pkcs11:")
            #:phases
            #~(modify-phases %standard-phases
                #$@(if (target-ppc32?)