Add truststore support to use system certificate store #9249
Comments
nullSoup
added
kind/feature
it is possible you misunderstand how things get done in poetry. There is no committee evaluating feature requests and scheduling an army of developers to do work: things are implemented because someone who wants them shows up and implements them. if that is you - be the change you want to see! - I expect a pull request would be welcome |
|
This is still on my todo list, it's just a matter of priorities and other things having to be done before this could happen. Also a reminder, that |
|
Appreciate the response. Had no intention to act entitled about feature requests. I would contribute a PR if I had the skills, but unfortunately I couldn’t even figure out how to properly dump the correct certificates from my Windows system certificate store to take advantage of the REQUESTS_CA_STORE environment variable workaround, so coding the feature correctly is probably not something it makes sense to take on personally. I’m just an ordinary fan of the poetry tool for managing my dependencies who got caught with hours of confusion when IT quietly added TLS inspection causing everything to mysteriously break. It’s a good point about truststore requiring Python 3.10+. I don’t have a technical understanding why the best fix adopted by pip is this extra Python 3.10+ truststore package. I just figured that since the —use-feature=truststore solution was deployed (and worked for me) in pip, it would make sense in poetry as well. Perhaps better documenting the recommended workaround is a more feasible short term goal? I can certainly write up the procedure to skip certificate verification for PyPI and files.pythonhosted.org. For the life of me, I cannot figure out how to dump all certificates on Windows to make the REQUESTS_CA_BUNDLE solution work, though this seems like the more correct approach. |
Issue Kind
Brand new capability
Description
Poetry should have the option or default to pulling certificates from the system certificate store like pip now does with use-feature=truststore. Without this, Poetry is extremely difficult to use in corporate environments with IT systems where TLS inspection breaks the use of the default certificates.
This was already mentioned by @Secrus in https://github.com/orgs/python-poetry/discussions/8729 as in his plans, but I wanted to raise the idea’s profile by making a formal Feature Request after spending half a day struggling with the problem.
Impact
Adding this would make Poetry go from essentially broken behind corporate IT systems to just working for these users.
Workarounds
It is possible to deactivate certificate verification at the cost of extra project setup step, nasty warnings, and confused users. Also theoretically, a manual cert file file can be exported and referenced with the REQUESTS_CA_BUNDLE environment variable. Both solutions are costly and painful. Native Python ssl already defaults to using the system certificate store, and most users would benefit by having something that just works.
The text was updated successfully, but these errors were encountered: