From 525e162a3dd7f49630745178c9cd83422cd8e025 Mon Sep 17 00:00:00 2001
From: Andreas Motl <andreas.motl@crate.io>
Date: Thu, 29 Sep 2022 17:19:30 +0200
Subject: [PATCH] CI: Install Root CA certificates to satisfy Python 3.11 on
 macOS

References:

- https://stackoverflow.com/a/44649450
- https://github.com/Unbabel/COMET/issues/29#issuecomment-945601519
- https://github.com/python/cpython/blob/main/Mac/BuildScript/resources/install_certificates.command

Root cause::

  Error: Error downloading extends for URL https://cdn.crate.io/downloads/releases/cratedb/x64_mac/crate-5.0.1.tar.gz:
  <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)>
---
 .github/workflows/nightly.yml |  3 ++
 .github/workflows/tests.yml   |  3 ++
 devtools/install_certifi.py   | 53 +++++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100755 devtools/install_certifi.py

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index d26f73536..02a41e5a6 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -37,6 +37,9 @@ jobs:
       - name: Invoke tests
         run: |
 
+          # Install Root CA certificates
+          sudo ./devtools/install_certifi.py
+
           # Bootstrap environment.
           source bootstrap.sh
 
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index be5707e30..b8abb817c 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -38,6 +38,9 @@ jobs:
       - name: Invoke tests
         run: |
 
+          # Install Root CA certificates
+          sudo ./devtools/install_certifi.py
+
           # Bootstrap environment.
           source bootstrap.sh
 
diff --git a/devtools/install_certifi.py b/devtools/install_certifi.py
new file mode 100755
index 000000000..a0f9a5888
--- /dev/null
+++ b/devtools/install_certifi.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+
+# install_certifi.py
+#
+# sample script to install or update a set of default Root Certificates
+# for the ssl module.  Uses the certificates provided by the certifi package:
+#       https://pypi.python.org/pypi/certifi
+#
+# References:
+#
+# - https://stackoverflow.com/a/44649450
+# - https://github.com/Unbabel/COMET/issues/29#issuecomment-945601519
+# - https://github.com/python/cpython/blob/main/Mac/BuildScript/resources/install_certificates.command
+
+import os
+import os.path
+import ssl
+import stat
+import subprocess
+import sys
+
+STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
+             | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
+             | stat.S_IROTH |                stat.S_IXOTH )
+
+
+def main():
+    openssl_dir, openssl_cafile = os.path.split(
+        ssl.get_default_verify_paths().openssl_cafile)
+
+    print(" -- pip install --upgrade certifi")
+    subprocess.check_call([sys.executable,
+        "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])
+
+    import certifi
+
+    # change working directory to the default SSL directory
+    os.chdir(openssl_dir)
+    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
+    print(" -- removing any existing file or link")
+    try:
+        os.remove(openssl_cafile)
+    except FileNotFoundError:
+        pass
+    print(" -- creating symlink to certifi certificate bundle")
+    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
+    print(" -- setting permissions")
+    os.chmod(openssl_cafile, STAT_0o775)
+    print(" -- update complete")
+
+
+if __name__ == '__main__':
+    main()