Description of problem: 1. For package rh-python36-python-pip include patch from python-pip for system CA cert trust. ==================== --- SOURCES/dummy-certifi.patch | 13 +++++++++++++ SPECS/python-pip.spec | 14 +++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 SOURCES/dummy-certifi.patch diff --git a/SOURCES/dummy-certifi.patch b/SOURCES/dummy-certifi.patch new file mode 100644 index 0000000..4afc3d8 --- /dev/null +++ b/SOURCES/dummy-certifi.patch @@ -0,0 +1,13 @@ +--- pip-9.0.1/pip/_vendor/requests/certs.py 2016-11-06 18:49:45.000000000 +0000 ++++ dummy-certifi/pip/_vendor/requests/certs.py 2020-04-16 12:48:44.206090267 +0000 +@@ -18,8 +18,8 @@ + except ImportError: + def where(): + """Return the preferred certificate bundle.""" +- # vendored bundle inside Requests +- return os.path.join(os.path.dirname(__file__), 'cacert.pem') ++ # system CA certs ++ return '/etc/pki/tls/certs/ca-bundle.crt' + + if __name__ == '__main__': + print(where()) diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec index d6dbcb7..94b2fd8 100644 --- a/SPECS/python-pip.spec +++ b/SPECS/python-pip.spec @@ -15,7 +15,7 @@ Name: %{?scl_prefix}python-%{srcname} Version: 9.0.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A tool for installing and managing Python packages Group: Development/Libraries @@ -24,6 +24,10 @@ URL: http://www.pip-installer.org Source0: https://files.pythonhosted.org/packages/source/p/pip/%{srcname}-%{version}.tar.gz Patch0: allow-stripping-given-prefix-from-wheel-RECORD-files.patch +# Use the system level root certificate instead of the one bundled in certifi +# https://bugzilla.redhat.com/show_bug.cgi?id=1655253 +Patch1: dummy-certifi.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch @@ -47,6 +51,11 @@ easy_installable should be pip-installable as well. %setup -q -n %{srcname}-%{version} %patch0 -p1 +%patch1 -p1 + +# this goes together with patch1 +rm pip/_vendor/*/*.pem +sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt %{__sed} -i '1d' pip/__init__.py %{?scl:EOF} @@ -88,6 +97,9 @@ pip3 install -I dist/%{python3_wheelname} --root %{buildroot} --strip-file-prefi %{python3_sitelib}/pip* %changelog +- include patch from python-pip for system CA cert trust ... =========================================== 2. List any affected packages or components: rh-python36-python-pip 3. How reproducible: > Able to reproduce by comparing the output of these two commands: # scl enable rh-python36 'python -mpip._vendor.requests.certs' # python3 -mpip._vendor.requests.certs > Actual results: The output if pip is using bundled certs is: /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem Versus system certs: /etc/pki/tls/certs/ca-bundle.crt 4. Why does the customer need this? (List the business requirements here) To be able to access private secure pip/pypy repos without running into issues validating certificate.
Created attachment 1682540 [details] full patch since the post truncated
We intend to fix this in the next SCL async release.
*** Bug 1774999 has been marked as a duplicate of this bug. ***
Reproducer: $ scl enable rh-python36 'python -m pip._vendor.requests.certs' returns /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem , the bundled cert. It should return /etc/pki/tls/certs/ca-bundle.crt
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: rh-python36 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4285