From 56cb628ee87272affe580931fd61c36e2eca6876 Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Mon, 16 Aug 2021 17:16:03 +0530 Subject: [PATCH] macOS: Bundle mozilla's root certificates with kitty Apple doesnt provide root certificates in a form useable by openssl which means all ssl based network requests fail, so bundle our own Fixes #3936 --- __main__.py | 26 +++++++++++++++++++------- bypy/macos/__main__.py | 11 +++++++++++ docs/changelog.rst | 7 +++++++ 3 files changed, 37 insertions(+), 7 deletions(-) diff --git a/__main__.py b/__main__.py index 82ec96db6..37e5b8076 100644 --- a/__main__.py +++ b/__main__.py @@ -123,17 +123,29 @@ def setup_openssl_environment() -> None: # out of their asses and implement a common location for SSL certificates. # It's not that hard people, there exists a wonderful tool called the symlink # See https://www.mobileread.com/forums/showthread.php?t=256095 - if 'SSL_CERT_FILE' not in os.environ and 'SSL_CERT_DIR' not in os.environ: - if os.access('/etc/pki/tls/certs/ca-bundle.crt', os.R_OK): - os.environ['SSL_CERT_FILE'] = '/etc/pki/tls/certs/ca-bundle.crt' + # + # Also load bundled certs on macOS since Apple tries to make everyone use + # their NIH SSL library instead of OpenSSL. + if 'SSL_CERT_FILE' in os.environ or 'SSL_CERT_DIR' in os.environ: + return + candidates = ['/etc/pki/tls/certs/ca-bundle.crt'] + ext_dir = getattr(sys, 'kitty_extensions_dir', '') + if ext_dir: + if 'darwin' in sys.platform.lower(): + d = os.path.dirname + candidates.append(os.path.join(d(d(d(ext_dir))), 'cacert.pem')) + for q in candidates: + if os.access(q, os.R_OK): + os.environ['SSL_CERT_FILE'] = q setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_FILE') - elif os.path.isdir('/etc/ssl/certs'): - os.environ['SSL_CERT_DIR'] = '/etc/ssl/certs' - setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_DIR') + return + if os.path.isdir('/etc/ssl/certs'): + os.environ['SSL_CERT_DIR'] = '/etc/ssl/certs' + setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_DIR') def main() -> None: - if getattr(sys, 'frozen', False) and 'darwin' not in sys.platform.lower(): + if getattr(sys, 'frozen', False): setup_openssl_environment() first_arg = '' if len(sys.argv) < 2 else sys.argv[1] func = entry_points.get(first_arg) diff --git a/bypy/macos/__main__.py b/bypy/macos/__main__.py index f4ac54699..6ecbac021 100644 --- a/bypy/macos/__main__.py +++ b/bypy/macos/__main__.py @@ -170,6 +170,7 @@ class Freeze(object): self.add_stdlib() self.add_misc_libraries() self.freeze_python() + self.add_ca_certs() if not self.dont_strip: self.strip_files() if not self.skip_tests: @@ -180,6 +181,16 @@ class Freeze(object): return ret + @flush + def add_ca_certs(self): + print('\nDownloading CA certs...') + from urllib.request import urlopen + ca_certs_url = 'https://curl.haxx.se/ca/cacert.pem' + certs = urlopen(ca_certs_url).read() + dest = os.path.join(self.contents_dir, 'Resources', 'cacert.pem') + with open(dest, 'wb') as f: + f.write(certs) + @flush def strip_files(self): print('\nStripping files...') diff --git a/docs/changelog.rst b/docs/changelog.rst index 8367783c3..252c0e562 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -4,6 +4,13 @@ Changelog |kitty| is a feature-rich, cross-platform, *fast*, GPU based terminal. To update |kitty|, :doc:`follow the instructions `. +0.23.1 [future] +---------------------- + +- macOS: Fix themes kitten failing to download themes because of missing SSL + certificates (:iss:`3936`) + +- A new :doc:`themes kitten ` to easily change kitty themes. 0.23.0 [2021-08-16] ----------------------