If GNUTLS_PIN is not available in the environment, the test will fail
because it cannot ask for the password:

Generating a self signed certificate...
No PIN given.
note: when operating in batch mode, set the GNUTLS_PIN or GNUTLS_SO_PIN environment variables
cert generation failed
FAIL certtool (exit status: 1)

The comment above this line says "some CI runners need GNUTLS_PIN
(GNUTLS_PIN=${PASS})" (i.e. GNUTLS_PIN=1234). When this is passed
instead, the test fails again because "No password was asked" (it greps
for "Enter password" in the output, but this won't happen because
GNUTLS_PIN is set).

The folks at Nix believe this is an incompatibility due to musl's
getpass not falling back to stdin/stderr if it cannot connect to a tty,
as glibc does.  Upstream believes this test should only be run on glibc
systems, so we skip it.

https://gitlab.com/gnutls/gnutls/-/issues/945

--- gnutls-3.6.13/tests/cert-tests/certtool.sh	2020-01-01 14:10:19.000000000 -0600
+++ gnutls-3.6.13/tests/cert-tests/certtool.sh	2020-06-02 20:36:20.380039844 -0500
@@ -20,6 +20,9 @@
 
 #set -e
 
+echo 'this test is not compatible with musl'
+exit 77
+
 : ${srcdir=.}
 : ${CERTTOOL=../../src/certtool${EXEEXT}}
 : ${DIFF=diff -b -B}