diff --git a/pkgs/development/python-modules/certifi/default.nix b/pkgs/development/python-modules/certifi/default.nix index ecf7ed49aa5c..065b32ddc629 100644 --- a/pkgs/development/python-modules/certifi/default.nix +++ b/pkgs/development/python-modules/certifi/default.nix @@ -1,5 +1,6 @@ { lib , buildPythonPackage +, cacert , pythonOlder , fetchFromGitHub , pytestCheckHook @@ -18,10 +19,27 @@ buildPythonPackage rec { hash = "sha256-B6LO6AfG9cfpyNI7hj3VjmGTFsrrIkDYO4gPMkZY74w="; }; + patches = [ + # Add support for NIX_SSL_CERT_FILE + ./env.patch + ]; + + postPatch = '' + # Use our system-wide ca-bundle instead of the bundled one + rm -v "certifi/cacert.pem" + ln -snvf "${cacert}/etc/ssl/certs/ca-bundle.crt" "certifi/cacert.pem" + ''; + checkInputs = [ pytestCheckHook ]; + preCheck = '' + # NIX_SSL_CERT_FILE is set to /no-cert-file.crt during build, which + # breaks the tests + unset NIX_SSL_CERT_FILE + ''; + pythonImportsCheck = [ "certifi" ]; diff --git a/pkgs/development/python-modules/certifi/env.patch b/pkgs/development/python-modules/certifi/env.patch new file mode 100644 index 000000000000..8d32394521a6 --- /dev/null +++ b/pkgs/development/python-modules/certifi/env.patch @@ -0,0 +1,76 @@ +diff --git a/certifi/core.py b/certifi/core.py +index de02898..3ec9147 100644 +--- a/certifi/core.py ++++ b/certifi/core.py +@@ -4,6 +4,7 @@ certifi.py + + This module returns the installation location of cacert.pem or its contents. + """ ++import os + import sys + + +@@ -12,7 +13,7 @@ if sys.version_info >= (3, 11): + from importlib.resources import as_file, files + + _CACERT_CTX = None +- _CACERT_PATH = None ++ _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None) + + def where() -> str: + # This is slightly terrible, but we want to delay extracting the file +@@ -39,14 +40,16 @@ if sys.version_info >= (3, 11): + return _CACERT_PATH + + def contents() -> str: +- return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii") ++ if _CACERT_PATH is not None: ++ return open(_CACERT_PATH, encoding="utf-8").read() ++ return files("certifi").joinpath("cacert.pem").read_text(encoding="utf-8") + + elif sys.version_info >= (3, 7): + + from importlib.resources import path as get_path, read_text + + _CACERT_CTX = None +- _CACERT_PATH = None ++ _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None) + + def where() -> str: + # This is slightly terrible, but we want to delay extracting the +@@ -74,7 +77,9 @@ elif sys.version_info >= (3, 7): + return _CACERT_PATH + + def contents() -> str: +- return read_text("certifi", "cacert.pem", encoding="ascii") ++ if _CACERT_PATH is not None: ++ return open(_CACERT_PATH, encoding="utf-8").read() ++ return read_text("certifi", "cacert.pem", encoding="utf-8") + + else: + import os +@@ -84,6 +89,8 @@ else: + Package = Union[types.ModuleType, str] + Resource = Union[str, "os.PathLike"] + ++ _CACERT_PATH = os.environ.get("NIX_SSL_CERT_FILE", None) ++ + # This fallback will work for Python versions prior to 3.7 that lack the + # importlib.resources module but relies on the existing `where` function + # so won't address issues with environments like PyOxidizer that don't set +@@ -102,7 +109,14 @@ else: + def where() -> str: + f = os.path.dirname(__file__) + ++ if _CACERT_PATH is not None: ++ return _CACERT_PATH ++ + return os.path.join(f, "cacert.pem") + + def contents() -> str: +- return read_text("certifi", "cacert.pem", encoding="ascii") ++ if _CACERT_PATH is not None: ++ with open(_CACERT_PATH, encoding="utf-8") as data: ++ return data.read() ++ ++ return read_text("certifi", "cacert.pem", encoding="utf-8")