From 2fa01394f505d3d9acddd083a06cf84b4986c89a Mon Sep 17 00:00:00 2001 From: Jean-Christophe Morin Date: Wed, 9 Aug 2023 16:23:49 -0400 Subject: [PATCH 1/5] Set the SSL_CERT_FILE environment variables via an activation script on Windows to make sure Python can do HTTPS requests by default without requiring certifi. --- recipe/activate.bat | 4 ++++ recipe/activate.sh | 4 ++++ recipe/bld.bat | 13 +++++++++++++ recipe/deactivate.bat | 4 ++++ recipe/deactivate.sh | 4 ++++ recipe/meta.yaml | 7 ++----- 6 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 recipe/activate.bat create mode 100644 recipe/activate.sh create mode 100644 recipe/deactivate.bat create mode 100644 recipe/deactivate.sh diff --git a/recipe/activate.bat b/recipe/activate.bat new file mode 100644 index 0000000..7be12ff --- /dev/null +++ b/recipe/activate.bat @@ -0,0 +1,4 @@ +if "%SSL_CERT_FILE%"=="" ( + set SSL_CERT_FILE="%LIBRARY_PREFIX%\ssl\cacert.pem" + set __CONDA_OPENSLL_CERT_FILE_SET="1" +) diff --git a/recipe/activate.sh b/recipe/activate.sh new file mode 100644 index 0000000..2d56c91 --- /dev/null +++ b/recipe/activate.sh @@ -0,0 +1,4 @@ +if [[ "$SSL_CERT_FILE" == "" ]]; then + export SSL_CERT_FILE="${LIBRARY_PREFIX}\\ssl\\cacert.pem" + export __CONDA_OPENSLL_CERT_FILE_SET="1" +fi diff --git a/recipe/bld.bat b/recipe/bld.bat index 64effae..35fd4ba 100644 --- a/recipe/bld.bat +++ b/recipe/bld.bat @@ -1,3 +1,5 @@ +setlocal EnableDelayedExpansion + if "%ARCH%"=="32" ( set OSSL_CONFIGURE=VC-WIN32 ) ELSE ( @@ -14,6 +16,8 @@ REM write permissions to limit the risk of non-privileged users exploiting REM OpenSSL's engines feature to perform arbitrary code execution attacks REM against applications that load the OpenSSL DLLs. REM +REM On top of that, we also set the SSL_CERT_FILE environment variable +REM via an activation script to point to the ca-certificates provided CA root file. set PERL=%BUILD_PREFIX%\Library\bin\perl %BUILD_PREFIX%\Library\bin\perl configure %OSSL_CONFIGURE% ^ --prefix=%LIBRARY_PREFIX% ^ @@ -63,3 +67,12 @@ rem copy out32dll\ssleay32.dll %LIBRARY_BIN%\ssleay32.dll rem copy out32dll\libeay32.dll %LIBRARY_BIN%\libeay32.dll rem mkdir %LIBRARY_INC%\openssl rem xcopy /S inc32\openssl\*.* %LIBRARY_INC%\openssl\ + +:: Copy the [de]activate scripts to %PREFIX%\etc\conda\[de]activate.d. +:: This will allow them to be run on environment activation. +for %%F in (activate deactivate) DO ( + if not exist %PREFIX%\etc\conda\%%F.d mkdir %PREFIX%\etc\conda\%%F.d + copy %RECIPE_DIR%\%%F.bat %PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.bat + :: Copy unix shell activation scripts, needed by Windows Bash users + copy %RECIPE_DIR%\%%F.sh %PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.sh +) diff --git a/recipe/deactivate.bat b/recipe/deactivate.bat new file mode 100644 index 0000000..5cb3d20 --- /dev/null +++ b/recipe/deactivate.bat @@ -0,0 +1,4 @@ +if "%__CONDA_OPENSLL_CERT_FILE_SET%" == "1" ( + set SSL_CERT_FILE= + set __CONDA_OPENSLL_CERT_FILE_SET= +) diff --git a/recipe/deactivate.sh b/recipe/deactivate.sh new file mode 100644 index 0000000..6f2ba0b --- /dev/null +++ b/recipe/deactivate.sh @@ -0,0 +1,4 @@ +if [[ "$__CONDA_OPENSLL_CERT_FILE_SET" == "1" ]]; then + unset SSL_CERT_FILE + unset +fi diff --git a/recipe/meta.yaml b/recipe/meta.yaml index 1b63f22..c288e1f 100644 --- a/recipe/meta.yaml +++ b/recipe/meta.yaml @@ -9,7 +9,7 @@ source: url: https://www.openssl.org/source/{{ name }}-{{ version }}.tar.gz sha256: 1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323 build: - number: 0 + number: 1 no_link: lib/libcrypto.so.3.0 # [linux] no_link: lib/libcrypto.3.0.dylib # [osx] has_prefix_files: # [unix] @@ -39,16 +39,13 @@ requirements: test: requires: - - certifi # [win] - python 3.8 - - six commands: - copy NUL checksum.txt # [win] - touch checksum.txt # [unix] - openssl sha256 checksum.txt - openssl ecparam -name prime256v1 - - python -c "from six.moves import urllib; urllib.request.urlopen('https://pypi.org')" # [unix] - - python -c "import certifi; import ssl; import urllib.request as urlrq; urlrq.urlopen('https://pypi.org', context=ssl.create_default_context(cafile=certifi.where()))" # [win] + - python -c "import urllib.request; urllib.request.urlopen('https://pypi.org')" about: home: https://www.openssl.org/ From d25d979f47c20b277a8b00566da5ae52ba7531df Mon Sep 17 00:00:00 2001 From: Jean-Christophe Morin Date: Wed, 9 Aug 2023 18:29:12 -0400 Subject: [PATCH 2/5] Fix SSL_CERT_FILE variable to use CONDA_PREFIX instead of LIBRARY_PREFIX and properly unset __CONDA_OPENSLL_CERT_FILE_SET --- recipe/activate.bat | 2 +- recipe/activate.sh | 2 +- recipe/deactivate.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/recipe/activate.bat b/recipe/activate.bat index 7be12ff..f47bee8 100644 --- a/recipe/activate.bat +++ b/recipe/activate.bat @@ -1,4 +1,4 @@ if "%SSL_CERT_FILE%"=="" ( - set SSL_CERT_FILE="%LIBRARY_PREFIX%\ssl\cacert.pem" + set SSL_CERT_FILE="%CONDA_PREFIX%\Library\ssl\cacert.pem" set __CONDA_OPENSLL_CERT_FILE_SET="1" ) diff --git a/recipe/activate.sh b/recipe/activate.sh index 2d56c91..7c7dcf5 100644 --- a/recipe/activate.sh +++ b/recipe/activate.sh @@ -1,4 +1,4 @@ if [[ "$SSL_CERT_FILE" == "" ]]; then - export SSL_CERT_FILE="${LIBRARY_PREFIX}\\ssl\\cacert.pem" + export SSL_CERT_FILE="${CONDA_PREFIX}\\Library\ssl\\cacert.pem" export __CONDA_OPENSLL_CERT_FILE_SET="1" fi diff --git a/recipe/deactivate.sh b/recipe/deactivate.sh index 6f2ba0b..ba24c27 100644 --- a/recipe/deactivate.sh +++ b/recipe/deactivate.sh @@ -1,4 +1,4 @@ if [[ "$__CONDA_OPENSLL_CERT_FILE_SET" == "1" ]]; then unset SSL_CERT_FILE - unset + unset __CONDA_OPENSLL_CERT_FILE_SET fi From ff7e5a154801f568615787156db76d03a00cc63b Mon Sep 17 00:00:00 2001 From: Jean-Christophe Morin Date: Thu, 10 Aug 2023 13:54:54 -0400 Subject: [PATCH 3/5] Attempt to fix windows tests --- recipe/activate.bat | 2 +- recipe/bld.bat | 4 ++-- recipe/meta.yaml | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/recipe/activate.bat b/recipe/activate.bat index f47bee8..b070ac4 100644 --- a/recipe/activate.bat +++ b/recipe/activate.bat @@ -1,4 +1,4 @@ if "%SSL_CERT_FILE%"=="" ( - set SSL_CERT_FILE="%CONDA_PREFIX%\Library\ssl\cacert.pem" + set SSL_CERT_FILE=%CONDA_PREFIX%\Library\ssl\cacert.pem set __CONDA_OPENSLL_CERT_FILE_SET="1" ) diff --git a/recipe/bld.bat b/recipe/bld.bat index 35fd4ba..bab472a 100644 --- a/recipe/bld.bat +++ b/recipe/bld.bat @@ -72,7 +72,7 @@ rem xcopy /S inc32\openssl\*.* %LIBRARY_INC%\openssl\ :: This will allow them to be run on environment activation. for %%F in (activate deactivate) DO ( if not exist %PREFIX%\etc\conda\%%F.d mkdir %PREFIX%\etc\conda\%%F.d - copy %RECIPE_DIR%\%%F.bat %PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.bat + copy "%RECIPE_DIR%\%%F.bat" "%PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.bat" :: Copy unix shell activation scripts, needed by Windows Bash users - copy %RECIPE_DIR%\%%F.sh %PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.sh + copy "%RECIPE_DIR%\%%F.sh" "%PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.sh" ) diff --git a/recipe/meta.yaml b/recipe/meta.yaml index c288e1f..d01dd36 100644 --- a/recipe/meta.yaml +++ b/recipe/meta.yaml @@ -45,6 +45,8 @@ test: - touch checksum.txt # [unix] - openssl sha256 checksum.txt - openssl ecparam -name prime256v1 + - if "%SSL_CERT_FILE%"=="" exit 1 # [win] + - if not exist "%SSL_CERT_FILE%" exit 1 # [win] - python -c "import urllib.request; urllib.request.urlopen('https://pypi.org')" about: From e4cd4a1473f3e5cb376a480c1ecf599b094770a0 Mon Sep 17 00:00:00 2001 From: Jean-Christophe Morin Date: Thu, 10 Aug 2023 17:44:44 -0400 Subject: [PATCH 4/5] Add PowerShell (de)activation scripts --- recipe/activate.ps1 | 4 ++++ recipe/bld.bat | 1 + recipe/deactivate.ps1 | 4 ++++ 3 files changed, 9 insertions(+) create mode 100644 recipe/activate.ps1 create mode 100644 recipe/deactivate.ps1 diff --git a/recipe/activate.ps1 b/recipe/activate.ps1 new file mode 100644 index 0000000..41d91f6 --- /dev/null +++ b/recipe/activate.ps1 @@ -0,0 +1,4 @@ +if (-not $Env:SSL_CERT_FILE) { + $Env:SSL_CERT_FILE = "$Env:CONDA_PREFIX\Library\ssl\cacert.pem" + $Env:__CONDA_OPENSLL_CERT_FILE_SET = "1" +} diff --git a/recipe/bld.bat b/recipe/bld.bat index bab472a..ca50816 100644 --- a/recipe/bld.bat +++ b/recipe/bld.bat @@ -73,6 +73,7 @@ rem xcopy /S inc32\openssl\*.* %LIBRARY_INC%\openssl\ for %%F in (activate deactivate) DO ( if not exist %PREFIX%\etc\conda\%%F.d mkdir %PREFIX%\etc\conda\%%F.d copy "%RECIPE_DIR%\%%F.bat" "%PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.bat" + copy "%RECIPE_DIR%\%%F.ps1" "%PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.ps1" :: Copy unix shell activation scripts, needed by Windows Bash users copy "%RECIPE_DIR%\%%F.sh" "%PREFIX%\etc\conda\%%F.d\%PKG_NAME%_%%F.sh" ) diff --git a/recipe/deactivate.ps1 b/recipe/deactivate.ps1 new file mode 100644 index 0000000..6cc0198 --- /dev/null +++ b/recipe/deactivate.ps1 @@ -0,0 +1,4 @@ +if ($Env:__CONDA_OPENSLL_CERT_FILE_SET -eq "1") { + Remove-Item -Path Env:\CERT_FILE_SET + Remote-Item -Path Env:\__CONDA_OPENSLL_CERT_FILE_SET +} From d8a77eb21b419c2987a5875f7ba946957d4478c2 Mon Sep 17 00:00:00 2001 From: Jean-Christophe Morin Date: Thu, 10 Aug 2023 18:46:54 -0400 Subject: [PATCH 5/5] Fix deactivate.ps1 --- recipe/deactivate.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/recipe/deactivate.ps1 b/recipe/deactivate.ps1 index 6cc0198..2fd22a8 100644 --- a/recipe/deactivate.ps1 +++ b/recipe/deactivate.ps1 @@ -1,4 +1,4 @@ if ($Env:__CONDA_OPENSLL_CERT_FILE_SET -eq "1") { - Remove-Item -Path Env:\CERT_FILE_SET - Remote-Item -Path Env:\__CONDA_OPENSLL_CERT_FILE_SET + Remove-Item -Path Env:\SSL_CERT_FILE + Remove-Item -Path Env:\__CONDA_OPENSLL_CERT_FILE_SET }