CI: Install Root CA certificates to satisfy Python 3.11 on macOS

amotl · amotl · commit 525e162a3dd7 · 2022-09-29T17:22:57.000+02:00
References: - https://stackoverflow.com/a/44649450 - Unbabel/COMET#29 (comment) - https://github.com/python/cpython/blob/main/Mac/BuildScript/resources/install_certificates.command Root cause:: Error: Error downloading extends for URL https://cdn.crate.io/downloads/releases/cratedb/x64_mac/crate-5.0.1.tar.gz: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)>
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -37,6 +37,9 @@ jobs:
       - name: Invoke tests
         run: |
 
+          # Install Root CA certificates
+          sudo ./devtools/install_certifi.py
+
           # Bootstrap environment.
           source bootstrap.sh
 
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -38,6 +38,9 @@ jobs:
       - name: Invoke tests
         run: |
 
+          # Install Root CA certificates
+          sudo ./devtools/install_certifi.py
+
           # Bootstrap environment.
           source bootstrap.sh
 
diff --git a/devtools/install_certifi.py b/devtools/install_certifi.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+
+# install_certifi.py
+#
+# sample script to install or update a set of default Root Certificates
+# for the ssl module.  Uses the certificates provided by the certifi package:
+#       https://pypi.python.org/pypi/certifi
+#
+# References:
+#
+# - https://stackoverflow.com/a/44649450
+# - https://github.com/Unbabel/COMET/issues/29#issuecomment-945601519
+# - https://github.com/python/cpython/blob/main/Mac/BuildScript/resources/install_certificates.command
+
+import os
+import os.path
+import ssl
+import stat
+import subprocess
+import sys
+
+STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
+             | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
+             | stat.S_IROTH |                stat.S_IXOTH )
+
+
+def main():
+    openssl_dir, openssl_cafile = os.path.split(
+        ssl.get_default_verify_paths().openssl_cafile)
+
+    print(" -- pip install --upgrade certifi")
+    subprocess.check_call([sys.executable,
+        "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])
+
+    import certifi
+
+    # change working directory to the default SSL directory
+    os.chdir(openssl_dir)
+    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
+    print(" -- removing any existing file or link")
+    try:
+        os.remove(openssl_cafile)
+    except FileNotFoundError:
+        pass
+    print(" -- creating symlink to certifi certificate bundle")
+    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
+    print(" -- setting permissions")
+    os.chmod(openssl_cafile, STAT_0o775)
+    print(" -- update complete")
+
+
+if __name__ == '__main__':
+    main()
