From f0e7344bc820af7347822e88a7d0767fe77caa87 Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Mon, 16 Aug 2021 22:47:53 +0530 Subject: [PATCH] Use bundled CA certs on Linux binary builds as well Makes it consistent with macOS --- __main__.py | 38 +++++++++----------------------------- bypy/linux/__main__.py | 10 ++++++++++ kitty_tests/check_build.py | 3 --- 3 files changed, 19 insertions(+), 32 deletions(-) diff --git a/__main__.py b/__main__.py index b6090ad1a..d133efb79 100644 --- a/__main__.py +++ b/__main__.py @@ -119,41 +119,21 @@ namespaced_entry_points['complete'] = complete def setup_openssl_environment() -> None: - # Workaround for Linux distros that have still failed to get their heads - # out of their asses and implement a common location for SSL certificates. - # It's not that hard people, there exists a wonderful tool called the symlink - # See https://www.mobileread.com/forums/showthread.php?t=256095 - # - # Also load bundled certs on macOS since Apple tries to make everyone use - # their NIH SSL library instead of OpenSSL. - if 'SSL_CERT_FILE' in os.environ or 'SSL_CERT_DIR' in os.environ: - return + # Use our bundled CA certificates instead of the system ones, since + # many systems come with no certificates in a useable form or have various + # locations for the certificates. d = os.path.dirname - candidates: tuple = () + ext_dir: str = getattr(sys, 'kitty_extensions_dir') if 'darwin' in sys.platform.lower(): - ext_dir = getattr(sys, 'kitty_extensions_dir', '') - if ext_dir: - candidates = (os.path.join(d(d(d(ext_dir))), 'cacert.pem'),) + cert_file = os.path.join(d(d(d(ext_dir))), 'cacert.pem') else: - candidates = ( - '/etc/ssl/certs/ca-certificates.crt', # Debian/Ubuntu/Arch/Gentoo etc. - "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" # RHEL 7 - '/etc/pki/tls/certs/ca-bundle.crt', # Fedora/RHEL 6 - '/etc/ssl/ca-bundle.pem', # OpenSUSE - "/etc/pki/tls/cacert.pem", # OpenELEC - ) - for q in candidates: - if os.access(q, os.R_OK): - os.environ['SSL_CERT_FILE'] = q - setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_FILE') - return - if os.path.isdir('/etc/ssl/certs'): - os.environ['SSL_CERT_DIR'] = '/etc/ssl/certs' - setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_DIR') + cert_file = os.path.join(d(ext_dir), 'cacert.pem') + os.environ['SSL_CERT_FILE'] = cert_file + setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_FILE') def main() -> None: - if getattr(sys, 'frozen', False): + if getattr(sys, 'frozen', False) and getattr(sys, 'kitty_extensions_dir', ''): setup_openssl_environment() first_arg = '' if len(sys.argv) < 2 else sys.argv[1] func = entry_points.get(first_arg) diff --git a/bypy/linux/__main__.py b/bypy/linux/__main__.py index ce2bc31b3..83e538366 100644 --- a/bypy/linux/__main__.py +++ b/bypy/linux/__main__.py @@ -92,6 +92,15 @@ def copy_libs(env): subprocess.check_call(['chrpath', '-d', dest]) +def add_ca_certs(env): + print('Downloading CA certs...') + from urllib.request import urlopen + certs = urlopen(kitty_constants['cacerts_url']).read() + dest = os.path.join(env.lib_dir, 'cacert.pem') + with open(dest, 'wb') as f: + f.write(certs) + + def copy_python(env): print('Copying python...') srcdir = j(PREFIX, 'lib/python' + py_ver) @@ -220,6 +229,7 @@ def main(): build_launcher(env) files = find_binaries(env) fix_permissions(files) + add_ca_certs(env) if not args.dont_strip: strip_binaries(files) if not args.skip_tests: diff --git a/kitty_tests/check_build.py b/kitty_tests/check_build.py index d123a0d48..951dcdaaa 100644 --- a/kitty_tests/check_build.py +++ b/kitty_tests/check_build.py @@ -58,9 +58,6 @@ class TestBuild(BaseTest): import sys if not getattr(sys, 'frozen', False): self.skipTest('CA certificates are only tested on frozen builds') - from kitty.constants import is_macos - if not is_macos: - self.skipTest('CA certificates are only bundled on macOS') c = ssl.create_default_context() self.assertGreater(c.cert_store_stats()['x509_ca'], 2)