Conversation
|
I like this approach. |
This adds a --use-feature=truststore flag that, when specified on Python 3.10+ with truststore installed, switches pip to use truststore to provide HTTPS certificate validation, instead of certifi. This allows pip to verify certificates against custom certificates in the system store. truststore is deliberately NOT vendored because it is expected the library to be under active development in the short term, and this prevents users having to wait for a pip release to get potentially vital bug fixes needed to be made in truststore. Supplying the use-feature flag without installing truststore beforehand, or on Python versions prior to 3.10, results in a command error.
|
Can’t think of a very good way to test this, did what I could. It’s difficult to test against a custom cert, and this is supposed to be seamless otherwise 😅 |
I guess you could install a dummy package that provided an importable "truststore" which printed a message on stdout but otherwise did nothing, and test that it got called? Sort of like a custom mock object. OTOH, maybe that's more work than this warrants - what you've got seems fine. |
|
(I forgot whether we said we want this in 22.1 or 22.2.) |
|
Adding a note on testing pip+truststore together: I've created sethmlarson/truststore#49 which once this PR is merged we'll begin testing pip with truststore mode enabled using a custom certificate loaded into the OS via |
I think 22.2 is a better idea. I'd like to get 22.1 out in this week. |
|
Apologies for the ping, but in the interest of making sure this PR doesn't go stale: it looks like 22.1 was released a week ago. Are we clear to merge this into the development branch so we can start building our integration tests around pip's repository? Also once this is merged I can take a stab at contributing documentation to pip's "User's Guide" on this feature if that's desirable from the team. Thanks again! |
|
I’m pulling the trigger. |
This adds a --use-feature=truststore flag that, when specified on Python 3.10+ with
truststoreinstalled, switches pip to use truststore to provide HTTPS certificate validation, instead of certifi. This allows pip to verify certificates against custom certificates in the system store.truststoreis deliberately NOT vendored because it is expected the library to be under active development in the short term, and this prevents users having to wait for a pip release to get potentially vital bug fixes needed to be made in truststore.Supplying the use-feature flag without installing truststore beforehand, or on Python versions prior to 3.10, results in a command error.
See #11038 (and other issues linked there).