Use bundled CA certs on Linux binary builds as well

Makes it consistent with macOS

__main__.py

@@ -119,41 +119,21 @@ namespaced_entry_points['complete'] = complete
 
 
 def setup_openssl_environment() -> None:
-    # Workaround for Linux distros that have still failed to get their heads
+    # Use our bundled CA certificates instead of the system ones, since
-    # out of their asses and implement a common location for SSL certificates.
+    # many systems come with no certificates in a useable form or have various
-    # It's not that hard people, there exists a wonderful tool called the symlink
+    # locations for the certificates.
-    # See https://www.mobileread.com/forums/showthread.php?t=256095
-    #
-    # Also load bundled certs on macOS since Apple tries to make everyone use
-    # their NIH SSL library instead of OpenSSL.
-    if 'SSL_CERT_FILE' in os.environ or 'SSL_CERT_DIR' in os.environ:
-        return
     d = os.path.dirname
-    candidates: tuple = ()
+    ext_dir: str = getattr(sys, 'kitty_extensions_dir')
     if 'darwin' in sys.platform.lower():
-        ext_dir = getattr(sys, 'kitty_extensions_dir', '')
+        cert_file = os.path.join(d(d(d(ext_dir))), 'cacert.pem')
-        if ext_dir:
-            candidates = (os.path.join(d(d(d(ext_dir))), 'cacert.pem'),)
     else:
-        candidates = (
+        cert_file = os.path.join(d(ext_dir), 'cacert.pem')
-            '/etc/ssl/certs/ca-certificates.crt',  # Debian/Ubuntu/Arch/Gentoo etc.
+    os.environ['SSL_CERT_FILE'] = cert_file
-            "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"  # RHEL 7
+    setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_FILE')
-            '/etc/pki/tls/certs/ca-bundle.crt',    # Fedora/RHEL 6
-            '/etc/ssl/ca-bundle.pem',              # OpenSUSE
-            "/etc/pki/tls/cacert.pem",             # OpenELEC
-        )
-    for q in candidates:
-        if os.access(q, os.R_OK):
-            os.environ['SSL_CERT_FILE'] = q
-            setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_FILE')
-            return
-    if os.path.isdir('/etc/ssl/certs'):
-        os.environ['SSL_CERT_DIR'] = '/etc/ssl/certs'
-        setattr(sys, 'kitty_ssl_env_var', 'SSL_CERT_DIR')
 
 
 def main() -> None:
-    if getattr(sys, 'frozen', False):
+    if getattr(sys, 'frozen', False) and getattr(sys, 'kitty_extensions_dir', ''):
         setup_openssl_environment()
     first_arg = '' if len(sys.argv) < 2 else sys.argv[1]
     func = entry_points.get(first_arg)

bypy/linux/__main__.py

@@ -92,6 +92,15 @@ def copy_libs(env):
         subprocess.check_call(['chrpath', '-d', dest])
 
 
+def add_ca_certs(env):
+    print('Downloading CA certs...')
+    from urllib.request import urlopen
+    certs = urlopen(kitty_constants['cacerts_url']).read()
+    dest = os.path.join(env.lib_dir, 'cacert.pem')
+    with open(dest, 'wb') as f:
+        f.write(certs)
+
+
 def copy_python(env):
     print('Copying python...')
     srcdir = j(PREFIX, 'lib/python' + py_ver)
@@ -220,6 +229,7 @@ def main():
     build_launcher(env)
     files = find_binaries(env)
     fix_permissions(files)
+    add_ca_certs(env)
     if not args.dont_strip:
         strip_binaries(files)
     if not args.skip_tests:

kitty_tests/check_build.py

@@ -58,9 +58,6 @@ class TestBuild(BaseTest):
         import sys
         if not getattr(sys, 'frozen', False):
             self.skipTest('CA certificates are only tested on frozen builds')
-        from kitty.constants import is_macos
-        if not is_macos:
-            self.skipTest('CA certificates are only bundled on macOS')
         c = ssl.create_default_context()
         self.assertGreater(c.cert_store_stats()['x509_ca'], 2)