Merge pull request #1072 from GitGuardian/agateau/support-host-certs

agateau-gg · web-flow · commit 11cf9c63f015 · 2025-03-24T15:56:12.000+01:00
Use system certificates
diff --git a/.github/workflows/build_release_assets.yml b/.github/workflows/build_release_assets.yml
@@ -54,6 +54,8 @@ jobs:
           - os: ubuntu-22.04
             # When building on Linux we use a container to build using an old enough version
             container: rockylinux/rockylinux:8
+            sha256sum:
+              python: e8d7ed8c6f8c6f85cd083d5051cafd8c6c01d09eca340d1da74d0c00ff1cb897
           - os: windows-2022
           - os: macos-13
             arch: x86_64
@@ -91,11 +93,22 @@ jobs:
 
           # Install necessary packages
           yum install -y \
-            python3.9 \
             git-core \
             findutils
 
-          echo PYTHON_CMD=/usr/bin/python3.9 >> $GITHUB_ENV
+          # Install Python 3.10 (we can't use the one from setup-python@v5: it requires a more recent version of libc)
+          PYTHON_VERSION=3.10.16
+          PYTHON_BUILD=20250317
+          scripts/download \
+            https://github.com/indygreg/python-build-standalone/releases/download/${PYTHON_BUILD}/cpython-${PYTHON_VERSION}+${PYTHON_BUILD}-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz \
+            python.tar.gz \
+            ${{ matrix.sha256sum.python }}
+
+          tar xf python.tar.gz
+
+          # Make Python available
+          echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV
+          echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV
 
           # Install NFPM
           NFPM_VERSION=2.36.1
diff --git a/changelog.d/20250321_152657_aurelien.gateau_support_host_certs.md b/changelog.d/20250321_152657_aurelien.gateau_support_host_certs.md
@@ -0,0 +1,3 @@
+### Added
+
+- ggshield now uses the system certificates instead of the bundled ones. Note that this only works with Python >= 3.10 (#1067).
diff --git a/ggshield/__main__.py b/ggshield/__main__.py
@@ -179,6 +179,17 @@ def force_utf8_output():
         out.reconfigure(encoding="utf-8")
 
 
+def setup_truststore():
+    """Use the system certificates instead of the ones bundled by certifi"""
+    if sys.version_info < (3, 10):
+        # truststore requires Python 3.10
+        return
+
+    import truststore
+
+    truststore.inject_into_ssl()
+
+
 def main(args: Optional[List[str]] = None) -> Any:
     """
     Wrapper around cli.main() to handle the GITGUARDIAN_CRASH_LOG variable.
@@ -196,6 +207,7 @@ def main(args: Optional[List[str]] = None) -> Any:
         ui.set_ui(RichGGShieldUI())
 
     force_utf8_output()
+    setup_truststore()
 
     show_crash_log = getenv_bool("GITGUARDIAN_CRASH_LOG")
     return cli.main(args, prog_name="ggshield", standalone_mode=not show_crash_log)
diff --git a/pdm.lock b/pdm.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -49,6 +49,7 @@ dependencies = [
     "rich~=12.5.1",
     "typing-extensions~=4.12.2",
     "urllib3~=2.2.2",
+    "truststore>=0.10.1; python_version >= \"3.10\"",
 ]
 
 [project.urls]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+### Added`
	`2`	`+`
	`3`	`+- ggshield now uses the system certificates instead of the bundled ones. Note that this only works with Python >= 3.10 (#1067).`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ dependencies = [`
`49`	`49`	`"rich~=12.5.1",`
`50`	`50`	`"typing-extensions~=4.12.2",`
`51`	`51`	`"urllib3~=2.2.2",`
	`52`	`+ "truststore>=0.10.1; python_version >= \"3.10\"",`
`52`	`53`	`]`
`53`	`54`
`54`	`55`	`[project.urls]`