Merge 73d035b into 9e7c07c

seanbudd · web-flow · commit e99f2feb6f97 · 2025-07-03T05:07:34.000Z
diff --git a/pyproject.toml b/pyproject.toml
@@ -29,6 +29,8 @@ dependencies = [
 	# pinned to a commit in tool.uv.sources
 	"configobj",
 	"requests==2.32.3",
+	# Overrides certifi so that requests uses system certificates instead
+	"pip_system_certs==5.2",
 	"url-normalize==1.4.3",
 	"schedule==1.2.2",
 	# NVDA_DMP requires diff-match-patch
diff --git a/source/addonStore/dataManager.py b/source/addonStore/dataManager.py
@@ -125,7 +125,7 @@ def _getLatestAddonsDataForVersion(self, apiVersion: str) -> Optional[bytes]:
 		url = _getAddonStoreURL(self._preferredChannel, self._lang, apiVersion)
 		try:
 			log.debug(f"Fetching add-on data from {url}")
-			response = requests.get(url, timeout=FETCH_TIMEOUT_S)
+			response = _fetchUrlAndUpdateRootCertificates(url)
 		except requests.exceptions.RequestException as e:
 			log.debugWarning(f"Unable to fetch addon data: {e}")
 			return None
diff --git a/source/addonStore/network.py b/source/addonStore/network.py
@@ -1,5 +1,5 @@
 # A part of NonVisual Desktop Access (NVDA)
-# Copyright (C) 2022-2024 NV Access Limited
+# Copyright (C) 2022-2025 NV Access Limited
 # This file is covered by the GNU General Public License.
 # See the file COPYING for more details.
 
@@ -18,6 +18,7 @@
 	Optional,
 	Tuple,
 )
+from urllib.parse import urlparse
 
 import requests
 
@@ -28,6 +29,7 @@
 from NVDAState import WritePaths
 import threading
 from utils.security import sha256_checksum
+from utils.networking import _is_cert_verification_error, _updateWindowsRootCertificates
 from config import conf
 
 from .models.addon import (
@@ -236,8 +238,8 @@ def _downloadAddonToPath(
 							return False  # The download was cancelled
 		return True
 
-	def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> Optional[os.PathLike]:
-		from gui.message import DisplayableError
+	def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> os.PathLike | None:
+		from gui.message import DisplayableError, messageBox
 
 		# Translators: A title for a dialog notifying a user of an add-on download failure.
 		_addonDownloadFailureMessageTitle = pgettext("addonStore", "Add-on download failure")
@@ -257,6 +259,40 @@ def _download(self, listItem: "AddonListItemVM[_AddonStoreModel]") -> Optional[o
 		try:
 			if not self._downloadAddonToPath(listItem, inProgressFilePath):
 				return None  # The download was cancelled
+		except requests.exceptions.SSLError as e:
+			if _is_cert_verification_error(e):
+				import wx
+
+				if (
+					messageBox(
+						message=pgettext(
+							"addonStore",
+							# Translators: A message to the user if an add-on download fails.
+							# url is replaced with the base URL of the add-on download e.g. (github.com).
+							"The website where you are downloading the add-on from has a certificate that is not trusted. "
+							"Do you want to trust the root certificate for {url}? "
+							"This will allow you to download add-ons from this website in the future. "
+							"Only do this if you trust the website. ",
+						).format(url=urlparse(addonData.URL).netloc),
+						caption=_addonDownloadFailureMessageTitle,
+						style=wx.OK | wx.CANCEL | wx.CENTRE | wx.ICON_WARNING,
+					)
+					== wx.OK
+				):
+					_updateWindowsRootCertificates(addonData.URL)
+					return self._download(listItem)
+				else:
+					return None  # The download was cancelled
+			else:
+				log.debugWarning(f"Unable to download addon file: {e}")
+				raise DisplayableError(
+					pgettext(
+						"addonStore",
+						# Translators: A message to the user if an add-on download fails
+						"Unable to download add-on: {name}",
+					).format(name=addonData.displayName),
+					_addonDownloadFailureMessageTitle,
+				)
 		except requests.exceptions.RequestException as e:
 			log.debugWarning(f"Unable to download addon file: {e}")
 			raise DisplayableError(
diff --git a/source/core.py b/source/core.py
@@ -32,6 +32,8 @@
 import NVDAState
 from NVDAState import WritePaths
 
+import pip_system_certs.wrapt_requests
+
 if TYPE_CHECKING:
 	import wx
 
@@ -694,6 +696,9 @@ def main():
 		WritePaths.configDir = config.getUserDefaultConfigPath(
 			useInstalledPathIfExists=globalVars.appArgs.launcher,
 		)
+
+	# Use Windows root certificates for requests rather than certifi.
+	pip_system_certs.wrapt_requests.inject_truststore()
 	# Initialize the config path (make sure it exists)
 	config.initConfigPath()
 	log.info(f"Config dir: {WritePaths.configDir}")
diff --git a/user_docs/en/changes.md b/user_docs/en/changes.md
@@ -70,6 +70,7 @@ There have also been a number of other fixes and improvements, including to mous
 * In focus mode in web browsers, it is now possible to review and spell the labels of controls when those labels are specifically provided for accessibility; e.g. via `aria-label` or `aria-labelledby`. (#15159, @jcsteh)
 * It is now possible to review and spell the labels of controls in Google Chrome menus and dialogs. (#11285, @jcsteh)
 * When typing into a cell in Microsoft Excel, the braille display is now correctly updated to show the new content. (#18391)
+* Fixed bug when trying to access the Add-on Store from certain environments such as corporates. (#18354)
 
 ### Changes for Developers
 
diff --git a/uv.lock b/uv.lock
