[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[scl.org] [PATCH] Make rh-python36-python-pip use system ca cert trust (vs embedded)



Hi All,

I hope this is an appropriate channel for patch submissions. Here is a patch that mirrors the base "python3-pip" approach to use the system CA cert trust file, rather than the one that gets embedded into pip via the Requests/Certifi packages. This is preferable because it lets pip pickup locally administered CA trust (e.g. certs issued by an internal CA). This helps immensely when running a private secure pip/pypy repo!

This should be testable by comparing the output of these two commands:
scl enable rh-python36 'python -mpip._vendor.requests.certs'
python3 -mpip._vendor.requests.certs

The output if pip is using bundled certs is something like:
/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem
versus system certs:
/etc/pki/tls/certs/ca-bundle.crt

A similar patch could probably be applied to prior SCL python (3.[345]). But I hope by getting it in 3.6, it will walk forward for 3.7+.

The attached patch is public domain.

attached: 0001-include-patch-from-python-pip-for-system-CA-cert-tru.patch

Regards,

James Flemer

NDP
1909 26th Street, Suite 1E
Boulder, Colorado 80302
Office: 720-897-7334
Cell: 970-217-3204
james flemer ndpgroup com
www.ndpgroup.com

Confidential, proprietary, and/or privileged information may be contained in, and attached to, this message.  The information transmitted is intended only for the individual or entity to which it is addressed.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information in this transmission by persons or entities other than the intended recipient(s) is prohibited. If you received this transmission in error, please immediately contact the sender and delete the material from all computers.
From 36f6069128150b2724d40d045cb6a95a5a36de1d Mon Sep 17 00:00:00 2001
From: "James E. Flemer" <james.flemer@ndpgroup.com>
Date: Thu, 16 Apr 2020 16:22:40 +0000
Subject: [PATCH] include patch from python-pip for system CA cert trust

---
 SOURCES/dummy-certifi.patch | 13 +++++++++++++
 SPECS/python-pip.spec       | 14 +++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/dummy-certifi.patch

diff --git a/SOURCES/dummy-certifi.patch b/SOURCES/dummy-certifi.patch
new file mode 100644
index 0000000..4afc3d8
--- /dev/null
+++ b/SOURCES/dummy-certifi.patch
@@ -0,0 +1,13 @@
+--- pip-9.0.1/pip/_vendor/requests/certs.py	2016-11-06 18:49:45.000000000 +0000
++++ dummy-certifi/pip/_vendor/requests/certs.py	2020-04-16 12:48:44.206090267 +0000
+@@ -18,8 +18,8 @@
+ except ImportError:
+     def where():
+         """Return the preferred certificate bundle."""
+-        # vendored bundle inside Requests
+-        return os.path.join(os.path.dirname(__file__), 'cacert.pem')
++        # system CA certs
++        return '/etc/pki/tls/certs/ca-bundle.crt'
+ 
+ if __name__ == '__main__':
+     print(where())
diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec
index d6dbcb7..94b2fd8 100644
--- a/SPECS/python-pip.spec
+++ b/SPECS/python-pip.spec
@@ -15,7 +15,7 @@
 
 Name:           %{?scl_prefix}python-%{srcname}
 Version:        9.0.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 Group:          Development/Libraries
@@ -24,6 +24,10 @@ URL:            http://www.pip-installer.org
 Source0:        https://files.pythonhosted.org/packages/source/p/pip/%{srcname}-%{version}.tar.gz
 Patch0:         allow-stripping-given-prefix-from-wheel-RECORD-files.patch
 
+# Use the system level root certificate instead of the one bundled in certifi
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655253
+Patch1:         dummy-certifi.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
@@ -47,6 +51,11 @@ easy_installable should be pip-installable as well.
 %setup -q -n %{srcname}-%{version}
 
 %patch0 -p1
+%patch1 -p1
+
+# this goes together with patch1
+rm pip/_vendor/*/*.pem
+sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
 
 %{__sed} -i '1d' pip/__init__.py
 %{?scl:EOF}
@@ -88,6 +97,9 @@ pip3 install -I dist/%{python3_wheelname} --root %{buildroot} --strip-file-prefi
 %{python3_sitelib}/pip*
 
 %changelog
+* Thu Apr 16 2020 James E. Flemer <james.flemer@ndpgroup.com> - 9.0.1-3
+- include patch from python-pip for system CA cert trust
+
 * Wed Jun 14 2017 Charalampos Stratakis <cstratak@redhat.com> - 9.0.1-2
 - Rebuild as wheel
 
-- 
1.8.3.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]