Set the SSL_CERT_FILE environment variables via an activation script …

…on Windows to make sure Python can do HTTPS requests by default without requiring certifi.
AnacondaRecipes · Aug 9, 2023 · 2fa0139 · 2fa0139
1 parent 67f77d1
commit 2fa0139
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 5 deletions.
diff --git a/recipe/activate.bat b/recipe/activate.bat
@@ -0,0 +1,4 @@
+if "%SSL_CERT_FILE%"=="" (
+    set SSL_CERT_FILE="%LIBRARY_PREFIX%\ssl\cacert.pem"
+    set __CONDA_OPENSLL_CERT_FILE_SET="1"
+)
diff --git a/recipe/activate.sh b/recipe/activate.sh
@@ -0,0 +1,4 @@
+if [[ "$SSL_CERT_FILE" == "" ]]; then
+    export SSL_CERT_FILE="${LIBRARY_PREFIX}\\ssl\\cacert.pem"
+    export __CONDA_OPENSLL_CERT_FILE_SET="1"
+fi
diff --git a/recipe/bld.bat b/recipe/bld.bat
@@ -1,3 +1,5 @@
+setlocal EnableDelayedExpansion
+
 if "%ARCH%"=="32" (
     set OSSL_CONFIGURE=VC-WIN32
 ) ELSE (
@@ -14,6 +16,8 @@ REM write permissions to limit the risk of non-privileged users exploiting
 REM OpenSSL's engines feature to perform arbitrary code execution attacks
 REM against applications that load the OpenSSL DLLs.
 REM
+REM On top of that, we also set the SSL_CERT_FILE environment variable
+REM via an activation script to point to the ca-certificates provided CA root file.
 set PERL=%BUILD_PREFIX%\Library\bin\perl
 %BUILD_PREFIX%\Library\bin\perl configure %OSSL_CONFIGURE% ^
     --prefix=%LIBRARY_PREFIX% ^
@@ -63,3 +67,12 @@ rem copy out32dll\ssleay32.dll %LIBRARY_BIN%\ssleay32.dll
 rem copy out32dll\libeay32.dll %LIBRARY_BIN%\libeay32.dll
 rem mkdir %LIBRARY_INC%\openssl
 rem xcopy /S inc32\openssl\*.* %LIBRARY_INC%\openssl\
+
+:: Copy the [de]activate scripts to %PREFIX%\etc\conda\[de]activate.d.
+:: This will allow them to be run on environment activation.
+for %%F in (activate deactivate) DO (
+    if not exist %PREFIX%\etc\conda\%%F.d mkdir %PREFIX%\etc\conda\%%F.d
+    copy %RECIPE_DIR%\%%F.bat %PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.bat
+    :: Copy unix shell activation scripts, needed by Windows Bash users
+    copy %RECIPE_DIR%\%%F.sh %PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.sh
+)
diff --git a/recipe/deactivate.bat b/recipe/deactivate.bat
@@ -0,0 +1,4 @@
+if "%__CONDA_OPENSLL_CERT_FILE_SET%" == "1" (
+    set SSL_CERT_FILE=
+    set __CONDA_OPENSLL_CERT_FILE_SET=
+)
diff --git a/recipe/deactivate.sh b/recipe/deactivate.sh
@@ -0,0 +1,4 @@
+if [[ "$__CONDA_OPENSLL_CERT_FILE_SET" == "1" ]]; then
+    unset SSL_CERT_FILE
+    unset
+fi
diff --git a/recipe/meta.yaml b/recipe/meta.yaml
@@ -9,7 +9,7 @@ source:
   url: https://www.openssl.org/source/{{ name }}-{{ version }}.tar.gz
   sha256: 1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323
 build:
-  number: 0
+  number: 1
   no_link: lib/libcrypto.so.3.0        # [linux]
   no_link: lib/libcrypto.3.0.dylib     # [osx]
   has_prefix_files:                      # [unix]
@@ -39,16 +39,13 @@ requirements:
 
 test:
   requires:
-    - certifi  # [win]
     - python 3.8
-    - six
   commands:
     - copy NUL checksum.txt        # [win]
     - touch checksum.txt           # [unix]
     - openssl sha256 checksum.txt
     - openssl ecparam -name prime256v1
-    - python -c "from six.moves import urllib; urllib.request.urlopen('https://pypi.org')"  # [unix]
-    - python -c "import certifi; import ssl; import urllib.request as urlrq; urlrq.urlopen('https://pypi.org', context=ssl.create_default_context(cafile=certifi.where()))"  # [win]
+    - python -c "import urllib.request; urllib.request.urlopen('https://pypi.org')"
 
 about:
   home: https://www.openssl.org/