Bug 230211

Summary:

[webkitpy] AutoInstall not loading default OpenSSL certificates

Product:

WebKit

Reporter:

Philippe Normand <pnormand>

Component:

Tools / Tests

Assignee:

Sam Sneddon [:gsnedders] <gsnedders>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, glenn, jbedard, mcatanzaro, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Move Linux special case to webkitpy	none
Add root CA	none

Philippe Normand

Reported 2021-09-13 02:21:55 PDT

The issue: Downloading setuptools-56.2.0... <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)> Failed to download setuptools, retrying <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)> Failed to download setuptools, retrying Failed to install setuptools-56.2.0! Traceback (most recent call last): File "Tools/Scripts/git-webkit", line 28, in <module> from webkitpy.common.config.committers import CommitterList File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/webkitpy/__init__.py", line 78, in <module> import webkitscmpy File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py", line 57, in <module> from webkitscmpy.commit import Commit File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit.py", line 24, in <module> import six File "<frozen importlib._bootstrap>", line 983, in _find_and_load File "<frozen importlib._bootstrap>", line 963, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 906, in _find_spec File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 602, in find_spec loader = cls.find_module(fullname, path=path) File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 616, in find_module cls.install(name) File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 591, in install return all([to_install.install() for to_install in packages]) File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 591, in <listcomp> return all([to_install.install() for to_install in packages]) File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 273, in install AutoInstall.install('setuptools') File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 591, in install return all([to_install.install() for to_install in packages]) File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 591, in <listcomp> return all([to_install.install() for to_install in packages]) File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 296, in install archive.unpack(temp_location) File "/home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py", line 126, in unpack raise IOError('Failed to find archive at {}'.format(self.path)) OSError: Failed to find archive at /home/buildbot/igalia-jsc32-armv7-ews/JSC-ARMv7-32bits-Build-EWS/build/Tools/Scripts/libraries/autoinstalled/python-3/setuptools-56.2.tar.gz

Attachments
Move Linux special case to webkitpy (3.81 KB, patch) 2021-09-20 15:44 PDT, Jonathan Bedard	no flags	Details Formatted Diff Diff
Add root CA (5.49 KB, patch) 2021-09-20 16:00 PDT, Jonathan Bedard	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Philippe Normand

Comment 1 2021-09-13 02:27:26 PDT

I landed r282322 as an emergency fix for EWS/etc bots. I am not sure why this custom cacert is needed in the first place. Is it due to a Python limitation on Apple platforms? In linux we can usually assume the host has valid root certificates, otherwise, maybe we could bootstrap 'certifi' before installing setuptools? That would likely avoid the need for a custom cert in the first place.

Jonathan Bedard

Comment 2 2021-09-13 07:23:37 PDT

A large number of Apple's bots rely on a different pypi source for their packages, and we have a bit of a chicken-egg problem with getting that cacert. Basically, the cacert in webkitcorepy isn't just for pypi.org. Will get it updated, this is the cost of owning the cacert....

Michael Catanzaro

Comment 3 2021-09-15 13:00:28 PDT

Might want to rename the file to avoid confusion with http://www.cacert.org/ ;)

Radar WebKit Bug Importer

Comment 4 2021-09-20 02:22:17 PDT

<rdar://problem/83298684>

Jonathan Bedard

Comment 5 2021-09-20 15:44:35 PDT

Created attachment 438742 [details] Move Linux special case to webkitpy

Jonathan Bedard

Comment 6 2021-09-20 16:00:00 PDT

Created attachment 438746 [details] Add root CA

Jonathan Bedard

Comment 7 2021-09-20 16:02:44 PDT

I think we'd prefer the second one, but if we aren't going to do that, we should do the first so that the Linux special case is in webkitpy and doesn't apply to other callers of webkitpy

Philippe Normand

Comment 8 2021-09-21 11:14:25 PDT

I'll try to test tomorrow.

Sam Sneddon [:gsnedders]

Comment 9 2024-11-06 17:24:03 PST

265530@main further changed the code here. What we should do is probably _always_ load the default OpenSSL certificates (via SSLContext.load_default_certs) and then load our own (via SSLContext.load_verify_locations). Longer-term, especially on Python 3.10 and later, we may well want to consider using truststore (https://pypi.org/project/truststore/) to create a context using the system trust store, thus avoiding the problems entirely.

Sam Sneddon [:gsnedders]

Comment 10 2025-01-02 16:48:58 PST

Pull request: https://github.com/WebKit/WebKit/pull/38478

Sam Sneddon [:gsnedders]

Comment 11 2025-01-03 11:44:23 PST

I presume this to some extent goes back to Jonathan's comment at https://bugs.webkit.org/show_bug.cgi?id=214606#c3: > Rather than fight with the ssl configurations of various different platforms and versions, let's just include the root cert needed by PyPi and be done with it. Most https requests will end up being made through requests, so the root certificate is really just for for PyPi. Having to manage an entire certificate store is a lot of work and we should just… not.

EWS

Comment 12 2025-01-07 11:14:10 PST

Committed 288548@main (d9754b78f0d9): <https://commits.webkit.org/288548@main> Reviewed commits have been landed. Closing PR #38478 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.