-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install truststore and certifi modules with pip #12652
Comments
Truststore has been vendored into pip since September of last year: 9ee4b8c. Since pip 23.3, you shouldn't need to install truststore in your environment to use the feature. What version of pip are you using in your company? |
Thanks @ichard26, I just started to dig deeper and realized that it works in older Python images but not in mine. We are using Python 3.10 (latest) images that come with pip 23.0.1, which is probably why I am experiencing these hurdles. The documentation, however, says:
So I was completely sure it must be present in my version. Is it a mistake in the documentation? |
The documentation is a bit confusing, indeed. While the truststore feature was added in 22.2, truststore was only vendored (i.e. added to the pip codebase so the end user doesn't need to install it) in 23.3. It's probably worth adding a note to the documentation clarifying that. |
Update
truststore is already bundled with pip starting v23.3 (thanks ichard26), which is higher than the described in the request.
It seems like only the documentation needs to be updates as it confusingly mentions version 22.2.
Certifi is also bundled with pip.
What's the problem this feature will solve?
In my company there is a practice of decrypting SSL traffic, which is achieved by means of installing company's CA certificate on user machines that serves as the new root for the decrypted traffic.
Pip documentation honestly says it does not use system's certificate store and uses the curated collection from certifi.
As advertised in the documentation,
--use-feature=truststore
is supposed to fix certificate validation problem when the proper root certificate is installed in the OS CA store. However, when tried in a fresh Python installation, the user gets the error:"When to use" section of the documentation suggest the following use case for this feature:
This is my case, and I have the company's root certificate in /etc/ssl/certs, but in order to use it, I need to install truststore package first. Thus, it becomes a chicken-and-egg problem, as in order to use the feature I need to install the module, and the installation process depends on the module itself.
Same applies to certifi: I need to add a certificate into its collection in order to fix certificate validation for Python clients, but before that I need to install the module itself, which is not possible due to SSL validation error.
It is a minor problem on the developer's local machine, but becomes a bigger problem with Docker as this quest has to be passed in every new image.
Describe the solution you'd like
truststore and certifi are added by default (maybe as dependencies of pip), granted they play a special role in the Python ecosystem.
Alternative Solutions
Workarounds are clumsy and barely sustainable. In particular, I'd like the same image be built successfully on my machine and in the CI pipeline, which run in different environments, and minimize the code required to support both use cases. Now I need to run pip with
--cert
parameter first before I can do further manipulations with pip and certifi.Additional context
https://pip.pypa.io/en/stable/topics/https-certificates/
Code of Conduct
The text was updated successfully, but these errors were encountered: