brew install CERTIFICATE_VERIFY_FAILED due to missing PIP_CERT

[campbsb]

Summary

brew install fails to build formulae which do python pip installs when behind a corporate Secure Web Gateway (SWG).

The issue is documented on pypa/pip#5502 in that the user needs to specify their custom CA cert bundle using the PIP_CERT environment variable. So for a brew install to work, brew needs to pass through the PIP_CERT environment variable. This can be done by adding PIP_CERT to the list of ENV_VAR_NAMES starting in brew line 151.

brew doctor output

Your system is ready to brew.

Verification

• My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update twice and am still able to reproduce my issue.
• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

HOMEBREW_VERSION: 4.1.1
ORIGIN: https://github.com/Homebrew/brew
HEAD: 3b3300546b5a4e40b74f4ee33cf225cca280defe
Last commit: 2 days ago
Core tap JSON: 26 Jul 12:30 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: vim
HOMEBREW_MAKE_JOBS: 10
Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 14.0.3 build 1403
Git: 2.39.2 => /Library/Developer/CommandLineTools/usr/bin/git
Curl: 7.88.1 => /usr/bin/curl
macOS: 13.4.1-arm64
CLT: 14.3.1.0.1.1683849156
Xcode: N/A
Rosetta 2: false

### What were you trying to do (and why)?

brew install i2cssh

### What happened (include all command output)?

Running brew update --auto-update...
==> Homebrew collects anonymous analytics.
Read the analytics documentation (and how to opt-out) here:
https://docs.brew.sh/Analytics
No analytics have been recorded yet (nor will be during this brew run).

==> Homebrew is run entirely by unpaid volunteers. Please consider donating:
https://github.com/Homebrew/brew#donations

==> Auto-updated Homebrew!
Updated 4 taps (shivammathur/php, wouterdebie/repo, homebrew/core and homebrew/cask).
==> New Formulae
killport prettierd
==> New Casks
4k-video-downloaderplus replay sfm

You have 1 outdated formula installed.

==> Fetching wouterdebie/repo/i2cssh
==> Downloading https://files.pythonhosted.org/packages/72/bd/fedc277e7351917b6c4e0ac751853a97af261278a4c7808babafa8ef2120/click-8.1.6.tar.gz
############################################################################################################################################# 100.0%
==> Downloading https://files.pythonhosted.org/packages/e7/b8/91054601a2e05fd9060cb1baf56be5b24145817b059e078669e1099529c7/click-option-group-0.5.6.
############################################################################################################################################# 100.0%
==> Downloading https://files.pythonhosted.org/packages/f5/8b/02049f33cbb3a15d414eaa9225480707f87575d54d61362e7e9a268dcc98/iterm2-2.6.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/a9c91a1c3e460a12fc7da482a9b85c0d9814e160929557496123e7075cdcaa28--iterm2-2.6.tar.gz
==> Downloading https://files.pythonhosted.org/packages/d3/1c/de86d82a5fc780feca36ef52c1231823bb3140266af8a04ed6286957aa6e/protobuf-4.23.4.tar.gz
############################################################################################################################################# 100.0%
==> Downloading https://files.pythonhosted.org/packages/cd/e5/af35f7ea75cf72f2cd079c95ee16797de7cd71f29ea7c68ae5ce7be1eda0/PyYAML-6.0.1.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/35b05ae90b86d5238c8d7ce43137b130cc5997abaf873afc436d369e875905cc--PyYAML-6.0.1.tar.gz
then
==> Downloading https://files.pythonhosted.org/packages/d8/3b/2ed38e52eed4cf277f9df5f0463a99199a04d9e29c9e227cfafa57bd3993/websockets-11.0.3.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/253d3c77a403dccd39b5098b9b1a70b2bcf569fb9a630d4fcc4461c347df56e5--websockets-11.0.3.tar.gz
==> Downloading https://files.pythonhosted.org/packages/35/53/c32b25e5c6a5bc8e9f1dcec762637f81795cea44f5cf95907738fdbe616b/i2cssh-0.0.20.tar.gz
############################################################################################################################################# 100.0%
==> Installing i2cssh from wouterdebie/repo
==> python3 -m venv --system-site-packages /opt/homebrew/Cellar/i2cssh/0.0.20/libexec
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
Last 15 lines from /Users/me/Library/Logs/Homebrew/i2cssh/06.pip:
│ exit code: 1
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.
full command: /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/python3.11 /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/lib/python3.11/site-packages/pip/pip-runner.py install --ignore-installed --no-user --prefix /private/tmp/pip-build-env-qc5lncv4/overlay --no-warn-script-location --no-binary :all: --only-binary :none: -i https://pypi.org/simple -- setuptools wheel 'Cython<3.0'
cwd: [inherit]
Installing build dependencies: finished with status 'error'
error: subprocess-exited-with-error

× pip subprocess to install build dependencies did not run successfully.
│ exit code: 1
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)'))) - skipping

If reporting this issue please do so at (not Homebrew/brew or Homebrew/homebrew-core):
https://github.com/wouterdebie/homebrew-repo/issues

### What did you expect to happen?

==> Fetching wouterdebie/repo/i2cssh
==> Downloading https://files.pythonhosted.org/packages/72/bd/fedc277e7351917b6c4e0ac751853a97af261278a4c7808babafa8ef2120/click-8.1.6.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/7a934994bbcf0fdca856be72b5739e734bfdffacceb0e880c5e080dfbee9c1c7--click-8.1.6.tar.gz
==> Downloading https://files.pythonhosted.org/packages/e7/b8/91054601a2e05fd9060cb1baf56be5b24145817b059e078669e1099529c7/click-option-group-0.5.6.
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/86459bdc188a8e9a55cf6d32fea90c7193fdfc130c2514943099cd39a8b38848--click-option-group-0.5.6.tar.gz
==> Downloading https://files.pythonhosted.org/packages/f5/8b/02049f33cbb3a15d414eaa9225480707f87575d54d61362e7e9a268dcc98/iterm2-2.6.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/a9c91a1c3e460a12fc7da482a9b85c0d9814e160929557496123e7075cdcaa28--iterm2-2.6.tar.gz
==> Downloading https://files.pythonhosted.org/packages/d3/1c/de86d82a5fc780feca36ef52c1231823bb3140266af8a04ed6286957aa6e/protobuf-4.23.4.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/85940cad89e2786476745b736876b79b1aa94876c1475238ff663f7b3650da1e--protobuf-4.23.4.tar.gz
==> Downloading https://files.pythonhosted.org/packages/cd/e5/af35f7ea75cf72f2cd079c95ee16797de7cd71f29ea7c68ae5ce7be1eda0/PyYAML-6.0.1.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/35b05ae90b86d5238c8d7ce43137b130cc5997abaf873afc436d369e875905cc--PyYAML-6.0.1.tar.gz
==> Downloading https://files.pythonhosted.org/packages/d8/3b/2ed38e52eed4cf277f9df5f0463a99199a04d9e29c9e227cfafa57bd3993/websockets-11.0.3.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/253d3c77a403dccd39b5098b9b1a70b2bcf569fb9a630d4fcc4461c347df56e5--websockets-11.0.3.tar.gz
==> Downloading https://files.pythonhosted.org/packages/35/53/c32b25e5c6a5bc8e9f1dcec762637f81795cea44f5cf95907738fdbe616b/i2cssh-0.0.20.tar.gz
Already downloaded: /Users/me/Library/Caches/Homebrew/downloads/127f6a62a4bf8b4b2c95477ce5d06ca399f9c8cc2e57c5a1ae04d8a604c28b35--i2cssh-0.0.20.tar.gz
==> Installing i2cssh from wouterdebie/repo
==> python3 -m venv --system-site-packages /opt/homebrew/Cellar/i2cssh/0.0.20/libexec
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
==> /opt/homebrew/Cellar/i2cssh/0.0.20/libexec/bin/pip install --verbose --no-deps --no-binary=:all: --ignore-installed --use-feature=no-binary-enab
🍺 /opt/homebrew/Cellar/i2cssh/0.0.20: 1,742 files, 23.4MB, built in 54 seconds
==> Running brew cleanup i2cssh...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see man brew).
Removing: /Users/me/Library/Caches/Homebrew/i2cssh--protobuf--4.23.1.tar.gz... (390.9KB)
Removing: /Users/me/Library/Caches/Homebrew/i2cssh--click--8.1.3.tar.gz... (323.4KB)
Removing: /Users/me/Library/Caches/Homebrew/i2cssh--0.0.18.tar.gz... (11.4KB)
Removing: /Users/me/Library/Caches/Homebrew/i2cssh--click-option-group--0.5.3.tar.gz... (10.5KB)

### Step-by-step reproduction instructions (by running `brew` commands)

```shell
To reproduce this fault:
1) You must be behind a corporate Secure Web Gateway (SWG) which replaces remote web site certificates with ones it signs, using a key not in common CA certificate lists
2) You must be attempting to do a Python pip install, where pip calls a sub-process to do the build

[MikeMcQuaid]

This can be done by adding PIP_CERT to the list of ENV_VAR_NAMES starting in brew line 151.

We should not do this. If we do anything: it should be adding a new, documented HOMEBREW_PIP_CERT variable.

I'm wary of adding this at all because it feels like a potential MITM vector.

[campbsb]

Not sure how HOMEBREW_PIP_CERT mitigates that risk as the user would be using PIP_CERT for non-homebrew installs. But at least it would document the issue.

[MikeMcQuaid]

as the user would be using PIP_CERT for non-homebrew installs.

Sure but our goal is to have a higher threshold than e.g. pip itself might.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[campbsb]

OK - HOMEBREW_PIP_CERT will save us from having to edit our homebrew code!

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.