Patchwork [STABLE,v2] sslutil: guard against broken certifi installations (issue5406)

login
register
mail settings
Submitter Gábor Stefanik
Date Oct. 24, 2016, 10:19 a.m.
Message ID <c3fe0e56546a44a79613.1477304354@waste.org>
Download mbox | patch
Permalink /patch/17184/
State Accepted
Headers show

Comments

Gábor Stefanik - Oct. 24, 2016, 10:19 a.m.
# HG changeset patch
# User Gábor Stefanik <gabor.stefanik@nng.com>
# Date 1476893174 -7200
#      Wed Oct 19 18:06:14 2016 +0200
# Branch stable
# Node ID c3fe0e56546a44a7961354d4840cdcb82cbecefc
# Parent  76c57e1fe79b0980b377b4f305635dea393d6315
sslutil: guard against broken certifi installations (issue5406)

Certifi is currently incompatible with py2exe; the Python code for certifi gets
included in library.zip, but not the cacert.pem file - and even if it were
included, SSLContext can't load a cacert.pem file from library.zip.
This currently makes it impossible to build a standalone Windows version of
Mercurial.

Guard against this, and possibly other situations where a module with the name
"certifi" exists, but is not usable.
Yuya Nishihara - Oct. 26, 2016, 1:06 p.m.
On Mon, 24 Oct 2016 05:19:14 -0500, Gábor Stefanik wrote:
> # HG changeset patch
> # User Gábor Stefanik <gabor.stefanik@nng.com>
> # Date 1476893174 -7200
> #      Wed Oct 19 18:06:14 2016 +0200
> # Branch stable
> # Node ID c3fe0e56546a44a7961354d4840cdcb82cbecefc
> # Parent  76c57e1fe79b0980b377b4f305635dea393d6315
> sslutil: guard against broken certifi installations (issue5406)
> 
> Certifi is currently incompatible with py2exe; the Python code for certifi gets
> included in library.zip, but not the cacert.pem file - and even if it were
> included, SSLContext can't load a cacert.pem file from library.zip.
> This currently makes it impossible to build a standalone Windows version of
> Mercurial.
> 
> Guard against this, and possibly other situations where a module with the name
> "certifi" exists, but is not usable.

Sounds good. Queued for stable, thanks.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -690,14 +690,15 @@ 
     We don't print a message when the Python is able to load default
     CA certs because this scenario is detected at socket connect time.
     """
-    # The "certifi" Python package provides certificates. If it is installed,
-    # assume the user intends it to be used and use it.
+    # The "certifi" Python package provides certificates. If it is installed
+    # and usable, assume the user intends it to be used and use it.
     try:
         import certifi
         certs = certifi.where()
-        ui.debug('using ca certificates from certifi\n')
-        return certs
-    except ImportError:
+        if os.path.exists(certs):
+            ui.debug('using ca certificates from certifi\n')
+            return certs
+    except (ImportError, AttributeError):
         pass
 
     # On Windows, only the modern ssl module is capable of loading the system