Bug 1826520
| Summary: | Allow rh-python36-python-pip to use system CA certificate Trust | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Software Collections | Reporter: | Alena <alrodrig> | ||||
| Component: | python-pip | Assignee: | Charalampos Stratakis <cstratak> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Lukáš Zachar <lzachar> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rh-python36 | CC: | bmikulov, cstratak, jflemer, pviktori, thoger, torsava | ||||
| Target Milestone: | --- | Keywords: | Reproducer | ||||
| Target Release: | 3.6 | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | rh-python36-python-pip-9.0.1-4.el7 rh-python36-python-pip-9.0.1-4.el6 | Doc Type: | No Doc Update | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-10-19 18:05:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1682540 [details]
full patch since the post truncated
We intend to fix this in the next SCL async release. *** Bug 1774999 has been marked as a duplicate of this bug. *** Reproducer: $ scl enable rh-python36 'python -m pip._vendor.requests.certs' returns /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem , the bundled cert. It should return /etc/pki/tls/certs/ca-bundle.crt Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: rh-python36 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4285 |
Description of problem: 1. For package rh-python36-python-pip include patch from python-pip for system CA cert trust. ==================== --- SOURCES/dummy-certifi.patch | 13 +++++++++++++ SPECS/python-pip.spec | 14 +++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 SOURCES/dummy-certifi.patch diff --git a/SOURCES/dummy-certifi.patch b/SOURCES/dummy-certifi.patch new file mode 100644 index 0000000..4afc3d8 --- /dev/null +++ b/SOURCES/dummy-certifi.patch @@ -0,0 +1,13 @@ +--- pip-9.0.1/pip/_vendor/requests/certs.py 2016-11-06 18:49:45.000000000 +0000 ++++ dummy-certifi/pip/_vendor/requests/certs.py 2020-04-16 12:48:44.206090267 +0000 +@@ -18,8 +18,8 @@ + except ImportError: + def where(): + """Return the preferred certificate bundle.""" +- # vendored bundle inside Requests +- return os.path.join(os.path.dirname(__file__), 'cacert.pem') ++ # system CA certs ++ return '/etc/pki/tls/certs/ca-bundle.crt' + + if __name__ == '__main__': + print(where()) diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec index d6dbcb7..94b2fd8 100644 --- a/SPECS/python-pip.spec +++ b/SPECS/python-pip.spec @@ -15,7 +15,7 @@ Name: %{?scl_prefix}python-%{srcname} Version: 9.0.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A tool for installing and managing Python packages Group: Development/Libraries @@ -24,6 +24,10 @@ URL: http://www.pip-installer.org Source0: https://files.pythonhosted.org/packages/source/p/pip/%{srcname}-%{version}.tar.gz Patch0: allow-stripping-given-prefix-from-wheel-RECORD-files.patch +# Use the system level root certificate instead of the one bundled in certifi +# https://bugzilla.redhat.com/show_bug.cgi?id=1655253 +Patch1: dummy-certifi.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch @@ -47,6 +51,11 @@ easy_installable should be pip-installable as well. %setup -q -n %{srcname}-%{version} %patch0 -p1 +%patch1 -p1 + +# this goes together with patch1 +rm pip/_vendor/*/*.pem +sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt %{__sed} -i '1d' pip/__init__.py %{?scl:EOF} @@ -88,6 +97,9 @@ pip3 install -I dist/%{python3_wheelname} --root %{buildroot} --strip-file-prefi %{python3_sitelib}/pip* %changelog +- include patch from python-pip for system CA cert trust ... =========================================== 2. List any affected packages or components: rh-python36-python-pip 3. How reproducible: > Able to reproduce by comparing the output of these two commands: # scl enable rh-python36 'python -mpip._vendor.requests.certs' # python3 -mpip._vendor.requests.certs > Actual results: The output if pip is using bundled certs is: /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem Versus system certs: /etc/pki/tls/certs/ca-bundle.crt 4. Why does the customer need this? (List the business requirements here) To be able to access private secure pip/pypy repos without running into issues validating certificate.