Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PEP 518 build dependency installs don't respect --cert command line option #5502

Closed
skylerbunny opened this issue Jun 13, 2018 · 10 comments · Fixed by #13063
Closed

PEP 518 build dependency installs don't respect --cert command line option #5502

skylerbunny opened this issue Jun 13, 2018 · 10 comments · Fixed by #13063
Assignees
@ichard26
Labels
C: network connectivity good first issue A good item for first time contributors to work on PEP implementation Involves some PEP type: bug A confirmed bug or unintended behavior

Comments

@skylerbunny
Copy link

Environment

  • pip version: 10.0.1
  • Python version: Python 2.7.13
  • OS: Debian Stretch (latest)

Description
pip ignores provided --cert options on the command line when it makes an installation attempt on a library that has a pyproject.toml file, meaning PEP 518 build dependencies kick in.

(Note: Whether or not attrs has a valid toml file because there's no [build-system] section present is technically irrelevant, because the failure I'm reporting is related to how pip tries to pull what it derives, not what pip derives to pull.)

Expected behavior
When pip attempts to install PEP 518 build dependencies, it should use any provided --cert or --client-cert option. I tested that it doesn't use --cert. I would guess it probably doesn't use the related --client-cert either.

How to Reproduce

  1. Create a virtualenv to isolate what you're going to be doing.
  2. Create/use a devpi repository with a self-signed certificate in front of it, so the problem can be seen. (Alternatively, I suppose, you could probably purposely move your verify bundle to a nonstandard location, then explicitly specify 'that file' with the --cert command line option even if you used something like https://pypi.python.org/.)
  3. Run pip download --no-binary :all: --index-url https://my-devpi-server/myindex/+simple/ --cert /etc/ssl/certs/ca-certificates.crt attrs
  4. The source file will successfully download. Then it will attempt to install build dependencies, which fails on an CERTIFICATE_VERIFY_FAILED error.

Output

(Note that my-index has root/pypi as an index parent, so that redirection would be expected.)

(temp) wheel-builder@build1:~/temp$ pip download --no-binary :all: --index-url https://my-devpi-server/my-index/+simple/ --cert /etc/ssl/certs/ca-certificates.crt attrs
Looking in indexes: https://my-devpi-server/my-index/+simple/
Collecting attrs
  Downloading https://my-devpi-server/root/pypi/+f/e0d/0eb91441a3b53/attrs-18.1.0.tar.gz (106kB)
  Saved ./attrs-18.1.0.tar.gz
  Installing build dependencies ... error
  Complete output from command /var/lib/wheel-builder/temp/bin/python2 -m pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-QsBWnb https://my-devpi-server/root/pypi/+f/8fc/a9275c89964f1/setuptools-39.2.0-py2.py3-none-any.whl#sha256=8fca9275c89964f13da985c3656cb00ba029d7f3916b37990927ffdf264e7926 https://my-devpi-server/root/pypi/+f/800/44e51ec5bbf6c/wheel-0.31.1-py2.py3-none-any.whl#sha256=80044e51ec5bbf6c894ba0bc48d26a8c20a9ba629f4ca19ea26ecfcf87685f5f:
  Collecting setuptools==39.2.0 from https://my-devpi-server/root/pypi/+f/8fc/a9275c89964f1/setuptools-39.2.0-py2.py3-none-any.whl#sha256=8fca9275c89964f13da985c3656cb00ba029d7f3916b37990927ffdf264e7926
    Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),)': /root/pypi/+f/8fc/a9275c89964f1/setuptools-39.2.0-py2.py3-none-any.whl
(((Repeats four more times)))
  Could not install packages due to an EnvironmentError: HTTPSConnectionPool(host='my-devpi-server', port=443): Max retries exceeded with url: /root/pypi/+f/8fc/a9275c89964f1/setuptools-39.2.0-py2.py3-none-any.whl (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),))


  ----------------------------------------
Command "/var/lib/wheel-builder/temp/bin/python2 -m pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-QsBWnb https://my-devpi-server/root/pypi/+f/8fc/a9275c89964f1/setuptools-39.2.0-py2.py3-none-any.whl#sha256=8fca9275c89964f13da985c3656cb00ba029d7f3916b37990927ffdf264e7926 https://my-devpi-server/root/pypi/+f/800/44e51ec5bbf6c/wheel-0.31.1-py2.py3-none-any.whl#sha256=80044e51ec5bbf6c894ba0bc48d26a8c20a9ba629f4ca19ea26ecfcf87685f5f" failed with error code 1 in None
@skylerbunny
Copy link
Author

I'm guessing this problem is here:

pip/src/pip/_internal/build_env.py

Line 79 in 77f6ac6

def install_requirements(self, finder, requirements, message):

(Which is to say that --cert nor --client-cert are checked for nor appended in this use case.)

@benoit-pierre
Copy link
Member

Indeed, session specific options are not being forwarded.

@pradyunsg pradyunsg added type: bug A confirmed bug or unintended behavior PEP implementation Involves some PEP labels Jun 14, 2018
@mjpieters mjpieters mentioned this issue Nov 22, 2018
Closed
@adamgreg
Copy link

This is still the case in 19.2.2

@onlineque
Copy link

onlineque commented Mar 15, 2020
edited
Loading

Still the case with 20.0.2. Is there a chance that this bug will be fixed ? It effectively prevents me using local PYPI repository with HTTPS due to that and I do not want to workaround this bug with ugly --trusted-host

@uranusjr
Copy link
Member

IIUC the fix to this issue should not be too technically involved—locate where the PEP 517 hook installs build dependencies, and pass the flags to them (likely via environment variables for better compatibility). The biggest problem would be to find someone interested enough in this to do the necessary code-tracing and patching, which is still significant but boring work. Feel free to give it a shot if you’re inclined to.

@chrahunt chrahunt mentioned this issue Mar 29, 2020
Closed
@michaelsaah michaelsaah mentioned this issue Mar 29, 2020
Closed
@chrahunt
Copy link
Member

Anyone that needs this behavior now should be able to work around it by specifying their cert path in the PIP_CERT environment variable or specifying cert in one of the pip configuration files.

@jsirois jsirois mentioned this issue Oct 5, 2020
Closed
jsirois added a commit to jsirois/pex that referenced this issue Oct 8, 2020
@jsirois
Fix handling of --cert and --client-cert.
9606c45 
In order to work around pypa/pip#5502 fully,
we extract a `PackageIndexConfiguration` class that handles arrangement
of Pip command line flags and enviornment variables to effect the most
hermetic means possible of conveying `--cert` and `--client-cert` to Pip
and its subprocesses.

Fixes pex-tool#1058
@jsirois jsirois mentioned this issue Oct 8, 2020
Merged
jsirois added a commit to pex-tool/pex that referenced this issue Oct 8, 2020
@jsirois
Fix handling of --cert and --client-cert. (#1063)
4580055 
In order to work around pypa/pip#5502 fully,
we extract a `PackageIndexConfiguration` class that handles arrangement
of Pip command line flags and enviornment variables to effect the most
hermetic means possible of conveying `--cert` and `--client-cert` to Pip
and its subprocesses.

Fixes #1058
@thibmonsel
Copy link

thibmonsel commented Apr 4, 2023
edited
Loading

This seems to reappear in pip==23.0.1 with the opened issue : jax-ml/jax#15387.

Solution :
By adding --no-build-isolation in the CLI did the trick for me.
eg
python3 -m pip install --proxy=MYPROXY MYPACKAGE --no-build-isolation
(I had python3.8 pip==23.0.1)

@uranusjr uranusjr added the good first issue A good item for first time contributors to work on label Apr 10, 2023
@SeaQuench
Copy link

Anyone that needs this behavior now should be able to work around it by specifying their cert path in the PIP_CERT environment variable or specifying cert in one of the pip configuration files.

This appears to have been inverted for build 23.1.2 (likely earlier):
PIP_CERT is now ignored but --cert is working! 🙃

@campbsb campbsb mentioned this issue Jul 26, 2023
Closed
3 tasks
@jle-pass
Copy link

jle-pass commented Feb 27, 2024
edited
Loading

+1
Hi, dependence with #11476 ?

This was referenced Nov 1, 2024
Closed
Closed
@ichard26 ichard26 self-assigned this Nov 1, 2024
@ichard26 ichard26 mentioned this issue Nov 3, 2024
Merged
@ichard26
Copy link
Member

ichard26 commented Dec 7, 2024

Hi all,

I have a proposed PR to fix this: #13063. It's ready to land, but I'd like to have some real world testing before I press merge. I'd appreciate anyone with a real world scenario that hits this bug to test my changes. It'd be helpful in ensuring that A) it works, and B) it doesn't break in whatever weird enterprise TLS setups that exist in the wild. You can install pip from the PR branch using pip install https://github.com/ichard26/pip/archive/pass-certs-down.zip.

Thanks!

@ichard26 ichard26 mentioned this issue Dec 22, 2024
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 21, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ichard26 ichard26

Labels
C: network connectivity good first issue A good item for first time contributors to work on PEP implementation Involves some PEP type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Pass CA and client TLS certificates to build subprocesses ichard26/pip
12 participants
@uranusjr @chrahunt @pradyunsg @benoit-pierre @skylerbunny @adamgreg @onlineque @SeaQuench @ichard26 @thibmonsel @jle-pass and others