Bug 1826520

Summary: Allow rh-python36-python-pip to use system CA certificate Trust
Product: Red Hat Software Collections Reporter: Alena <alrodrig>
Component: python-pipAssignee: Charalampos Stratakis <cstratak>
Status: CLOSED ERRATA QA Contact: Lukáš Zachar <lzachar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rh-python36CC: bmikulov, cstratak, jflemer, pviktori, thoger, torsava
Target Milestone: ---Keywords: Reproducer
Target Release: 3.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rh-python36-python-pip-9.0.1-4.el7 rh-python36-python-pip-9.0.1-4.el6 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 18:05:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
full patch since the post truncated none

Description Alena 2020-04-21 20:53:59 UTC 
Description of problem:

1. For package rh-python36-python-pip include patch from python-pip for system CA cert trust.

====================
---
 SOURCES/dummy-certifi.patch | 13 +++++++++++++
 SPECS/python-pip.spec       | 14 +++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/dummy-certifi.patch

diff --git a/SOURCES/dummy-certifi.patch b/SOURCES/dummy-certifi.patch
new file mode 100644
index 0000000..4afc3d8
--- /dev/null
+++ b/SOURCES/dummy-certifi.patch
@@ -0,0 +1,13 @@
+--- pip-9.0.1/pip/_vendor/requests/certs.py	2016-11-06 18:49:45.000000000 +0000
++++ dummy-certifi/pip/_vendor/requests/certs.py	2020-04-16 12:48:44.206090267 +0000
+@@ -18,8 +18,8 @@
+ except ImportError:
+     def where():
+         """Return the preferred certificate bundle."""
+-        # vendored bundle inside Requests
+-        return os.path.join(os.path.dirname(__file__), 'cacert.pem')
++        # system CA certs
++        return '/etc/pki/tls/certs/ca-bundle.crt'
+ 
+ if __name__ == '__main__':
+     print(where())
diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec
index d6dbcb7..94b2fd8 100644
--- a/SPECS/python-pip.spec
+++ b/SPECS/python-pip.spec
@@ -15,7 +15,7 @@
 
 Name:           %{?scl_prefix}python-%{srcname}
 Version:        9.0.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 Group:          Development/Libraries
@@ -24,6 +24,10 @@ URL:            http://www.pip-installer.org
 Source0:        https://files.pythonhosted.org/packages/source/p/pip/%{srcname}-%{version}.tar.gz
 Patch0:         allow-stripping-given-prefix-from-wheel-RECORD-files.patch
 
+# Use the system level root certificate instead of the one bundled in certifi
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655253
+Patch1:         dummy-certifi.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
@@ -47,6 +51,11 @@ easy_installable should be pip-installable as well.
 %setup -q -n %{srcname}-%{version}
 
 %patch0 -p1
+%patch1 -p1
+
+# this goes together with patch1
+rm pip/_vendor/*/*.pem
+sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
 
 %{__sed} -i '1d' pip/__init__.py
 %{?scl:EOF}
@@ -88,6 +97,9 @@ pip3 install -I dist/%{python3_wheelname} --root %{buildroot} --strip-file-prefi
 %{python3_sitelib}/pip*
 
 %changelog

+- include patch from python-pip for system CA cert trust
...

===========================================

2. List any affected packages or components:

rh-python36-python-pip 

3. How reproducible:

  > Able to reproduce by comparing the output of these two commands:

# scl enable rh-python36 'python -mpip._vendor.requests.certs'
 
# python3 -mpip._vendor.requests.certs

  > Actual results:

The output if pip is using bundled certs is:

/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem

Versus system certs:

/etc/pki/tls/certs/ca-bundle.crt


4. Why does the customer need this? (List the business requirements here)

To be able to access private secure pip/pypy repos without running into issues validating certificate.
Comment 2 James E. Flemer 2020-04-28 15:32:49 UTC 
Created attachment 1682540 [details]
full patch since the post truncated
Comment 3 Petr Viktorin (pviktori) 2020-05-20 12:25:23 UTC 
We intend to fix this in the next SCL async release.
Comment 5 Charalampos Stratakis 2020-09-16 13:05:36 UTC 
*** Bug 1774999 has been marked as a duplicate of this bug. ***
Comment 6 Charalampos Stratakis 2020-09-16 13:34:49 UTC 
Reproducer:

$ scl enable rh-python36 'python -m pip._vendor.requests.certs' returns /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem , the bundled cert. It should return /etc/pki/tls/certs/ca-bundle.crt
Comment 17 errata-xmlrpc 2020-10-19 18:05:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: rh-python36 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4285