Bug 1826520 - Allow rh-python36-python-pip to use system CA certificate Trust
Summary: Allow rh-python36-python-pip to use system CA certificate Trust
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Software Collections
Classification: Red Hat
Component: python-pip
Version: rh-python36
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
: 3.6
Assignee: Charalampos Stratakis
QA Contact: Lukáš Zachar
URL:
Whiteboard:
: 1774999 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-21 20:53 UTC by Alena
Modified: 2020-10-21 14:20 UTC (History)
6 users (show)

Fixed In Version: rh-python36-python-pip-9.0.1-4.el7 rh-python36-python-pip-9.0.1-4.el6
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-19 18:05:51 UTC
Target Upstream Version:


Attachments (Terms of Use)
full patch since the post truncated (2.67 KB, patch)
2020-04-28 15:32 UTC, James E. Flemer
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4285 0 None None None 2020-10-19 18:06:28 UTC

Description Alena 2020-04-21 20:53:59 UTC
Description of problem:

1. For package rh-python36-python-pip include patch from python-pip for system CA cert trust.

====================
---
 SOURCES/dummy-certifi.patch | 13 +++++++++++++
 SPECS/python-pip.spec       | 14 +++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/dummy-certifi.patch

diff --git a/SOURCES/dummy-certifi.patch b/SOURCES/dummy-certifi.patch
new file mode 100644
index 0000000..4afc3d8
--- /dev/null
+++ b/SOURCES/dummy-certifi.patch
@@ -0,0 +1,13 @@
+--- pip-9.0.1/pip/_vendor/requests/certs.py	2016-11-06 18:49:45.000000000 +0000
++++ dummy-certifi/pip/_vendor/requests/certs.py	2020-04-16 12:48:44.206090267 +0000
+@@ -18,8 +18,8 @@
+ except ImportError:
+     def where():
+         """Return the preferred certificate bundle."""
+-        # vendored bundle inside Requests
+-        return os.path.join(os.path.dirname(__file__), 'cacert.pem')
++        # system CA certs
++        return '/etc/pki/tls/certs/ca-bundle.crt'
+ 
+ if __name__ == '__main__':
+     print(where())
diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec
index d6dbcb7..94b2fd8 100644
--- a/SPECS/python-pip.spec
+++ b/SPECS/python-pip.spec
@@ -15,7 +15,7 @@
 
 Name:           %{?scl_prefix}python-%{srcname}
 Version:        9.0.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 Group:          Development/Libraries
@@ -24,6 +24,10 @@ URL:            http://www.pip-installer.org
 Source0:        https://files.pythonhosted.org/packages/source/p/pip/%{srcname}-%{version}.tar.gz
 Patch0:         allow-stripping-given-prefix-from-wheel-RECORD-files.patch
 
+# Use the system level root certificate instead of the one bundled in certifi
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655253
+Patch1:         dummy-certifi.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
@@ -47,6 +51,11 @@ easy_installable should be pip-installable as well.
 %setup -q -n %{srcname}-%{version}
 
 %patch0 -p1
+%patch1 -p1
+
+# this goes together with patch1
+rm pip/_vendor/*/*.pem
+sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
 
 %{__sed} -i '1d' pip/__init__.py
 %{?scl:EOF}
@@ -88,6 +97,9 @@ pip3 install -I dist/%{python3_wheelname} --root %{buildroot} --strip-file-prefi
 %{python3_sitelib}/pip*
 
 %changelog

+- include patch from python-pip for system CA cert trust
...

===========================================

2. List any affected packages or components:

rh-python36-python-pip 

3. How reproducible:

  > Able to reproduce by comparing the output of these two commands:

# scl enable rh-python36 'python -mpip._vendor.requests.certs'
 
# python3 -mpip._vendor.requests.certs

  > Actual results:

The output if pip is using bundled certs is:

/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem

Versus system certs:

/etc/pki/tls/certs/ca-bundle.crt


4. Why does the customer need this? (List the business requirements here)

To be able to access private secure pip/pypy repos without running into issues validating certificate.

Comment 2 James E. Flemer 2020-04-28 15:32:49 UTC
Created attachment 1682540 [details]
full patch since the post truncated

Comment 3 Petr Viktorin 2020-05-20 12:25:23 UTC
We intend to fix this in the next SCL async release.

Comment 5 Charalampos Stratakis 2020-09-16 13:05:36 UTC
*** Bug 1774999 has been marked as a duplicate of this bug. ***

Comment 6 Charalampos Stratakis 2020-09-16 13:34:49 UTC
Reproducer:

$ scl enable rh-python36 'python -m pip._vendor.requests.certs' returns /opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/pip/_vendor/requests/cacert.pem , the bundled cert. It should return /etc/pki/tls/certs/ca-bundle.crt

Comment 17 errata-xmlrpc 2020-10-19 18:05:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: rh-python36 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4285


Note You need to log in before you can comment on or make changes to this bug.