feat: use system certificates

agateau-gg · agateau-gg · commit e83c38cdf5b4 · 2025-03-21T16:05:21.000+01:00
Fixes #1067
diff --git a/changelog.d/20250321_152657_aurelien.gateau_support_host_certs.md b/changelog.d/20250321_152657_aurelien.gateau_support_host_certs.md
@@ -0,0 +1,3 @@
+### Added
+
+- ggshield now uses the system certificates instead of the bundled ones. Note that this only works with Python >= 3.10 (#1067).
diff --git a/ggshield/__main__.py b/ggshield/__main__.py
@@ -179,6 +179,17 @@ def force_utf8_output():
         out.reconfigure(encoding="utf-8")
 
 
+def setup_truststore():
+    """Use the system certificates instead of the ones bundled by certifi"""
+    if sys.version_info < (3, 10):
+        # truststore requires Python 3.10
+        return
+
+    import truststore
+
+    truststore.inject_into_ssl()
+
+
 def main(args: Optional[List[str]] = None) -> Any:
     """
     Wrapper around cli.main() to handle the GITGUARDIAN_CRASH_LOG variable.
@@ -196,6 +207,7 @@ def main(args: Optional[List[str]] = None) -> Any:
         ui.set_ui(RichGGShieldUI())
 
     force_utf8_output()
+    setup_truststore()
 
     show_crash_log = getenv_bool("GITGUARDIAN_CRASH_LOG")
     return cli.main(args, prog_name="ggshield", standalone_mode=not show_crash_log)
diff --git a/pdm.lock b/pdm.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -49,6 +49,7 @@ dependencies = [
     "rich~=12.5.1",
     "typing-extensions~=4.12.2",
     "urllib3~=2.2.2",
+    "truststore>=0.10.1; python_version >= \"3.10\"",
 ]
 
 [project.urls]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+### Added`
	`2`	`+`
	`3`	`+- ggshield now uses the system certificates instead of the bundled ones. Note that this only works with Python >= 3.10 (#1067).`