Bug 1687732 - Bundle certifi certificates in taskcluster's Python on OSX r=jmaher

Instead of trying to find the system certificates, something that may depend on the running system, use the certifi package and have ssl point to it. Differential Revision: https://phabricator.services.mozilla.com/D201596
2024-11-27 23:02:20 +00:00 · 2024-02-13 10:16:53 +00:00 · 2024-02-13 10:16:53 +00:00 · 5f441eb6a4
commit 5f441eb6a4
parent 550505c7d8
2 changed files with 23 additions and 7 deletions
--- a/taskcluster/scripts/misc/build-cpython.sh
+++ b/taskcluster/scripts/misc/build-cpython.sh
@ -79,6 +79,7 @@ ${work_dir}/python/bin/python3 -m pip install -r ${GECKO_PATH}/build/psutil_requ

 case `uname -s` in
    Darwin)
+
        cp /usr/local/opt/openssl/lib/libssl*.dylib ${work_dir}/python/lib/
        cp /usr/local/opt/openssl/lib/libcrypto*.dylib ${work_dir}/python/lib/
        cp ${xz_prefix}/lib/liblzma.dylib ${work_dir}/python/lib/
@ -99,6 +100,9 @@ case `uname -s` in
        # sanity check
        ${work_dir}/python/bin/python3 -c "import ssl"
        ${work_dir}/python/bin/python3 -c "import lzma"
+
+        # We may not have access to system certificate on OSX
+        ${work_dir}/python/bin/python3 -m pip install certifi==2024.2.2
        ;;
    Linux)
        cp /usr/lib/x86_64-linux-gnu/libffi.so.* ${work_dir}/python/lib/
--- a/taskcluster/scripts/run-task
+++ b/taskcluster/scripts/run-task
@ -968,13 +968,6 @@ def main(args):
                    moz_python_bindir = moz_python_home + '/bin'


-                # just a sanity check
-                candidate = os.path.join(moz_python_bindir, f'python3{ext}')
-                if not os.path.exists(candidate):
-                    raise RuntimeError("Inconsistent Python installation: "
-                                       "archive found, but no python3 binary "
-                                       "detected")
-
                new = os.environ['PATH'] = os.pathsep.join([moz_python_bindir]
                                                           + prev)

@ -983,6 +976,25 @@ def main(args):
                # maintain a small patch to use MOZPYTHONHOME instead.
                os.environ['MOZPYTHONHOME'] = moz_python_home

+                pyinterp = os.path.join(moz_python_bindir, f'python3{ext}')
+                # just a sanity check
+                if not os.path.exists(pyinterp):
+                    raise RuntimeError("Inconsistent Python installation: "
+                                       "archive found, but no python3 binary "
+                                       "detected")
+
+                if IS_MACOSX:
+                    # On OSX, we may not have access to the system certificate,
+                    # so use the certifi ones.
+                    certifi_cert_file = subprocess.check_output(
+                    [pyinterp, '-c',
+                     'import certifi; print(certifi.where())'],
+                    text=True
+                    )
+                    os.environ['SSL_CERT_FILE'] = certifi_cert_file.strip()
+                    print_line(b'setup',
+                               b'patching ssl certificate\n')
+
                print_line(b'setup',
                           b'updated PATH with python artifact: '
                           + new.encode() + b'\n')