From 1df1e6166cce17e9edf9b64886191ffa922d2d31 Mon Sep 17 00:00:00 2001
From: Morgan Jones <me@numin.it>
Date: Sun, 16 Nov 2025 17:19:06 -0800
Subject: [PATCH] pkcs11-provider: skip softhsm on non-x86_64

softhsm is flaky and this fixes a ZHF failure:
https://github.com/softhsm/SoftHSMv2/issues/803

We use Kryoptic now, which behaves predictably, so this isn't a problem.
---
 pkgs/by-name/pk/pkcs11-provider/package.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkgs/by-name/pk/pkcs11-provider/package.nix b/pkgs/by-name/pk/pkcs11-provider/package.nix
index a19126f0f492..fb9d3fd9b6c7 100644
--- a/pkgs/by-name/pk/pkcs11-provider/package.nix
+++ b/pkgs/by-name/pk/pkcs11-provider/package.nix
@@ -49,7 +49,6 @@ stdenv.mkDerivation rec {
   nativeCheckInputs = [
     p11-kit.bin
     opensc
-    softhsm
     kryoptic
     nss.tools
     gnutls
@@ -57,6 +56,13 @@ stdenv.mkDerivation rec {
     expect
     valgrind
     pkcs11ProviderPython3
+  ]
+  ++ lib.optionals stdenv.hostPlatform.isx86_64 [
+    # softokn and kryoptic are OK; softhsm is pretty flaky.
+    # This fails with a `pkcs11-provider:softhsm / tls - FAIL - exit status 1`.
+    # Considering that kryoptic is the Rust replacement, we can rely on it instead:
+    # https://github.com/softhsm/SoftHSMv2/issues/803
+    softhsm
   ];
 
   env = {