New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3.7.3rc1 Install Certificates fails on macOS #80521
Comments
I've just installed Python 3.7.3rc1 for macOS 10.9 or later from the macOS 64-bit installer. I've clicked the
I was able to run the same command from my regular shell (iTerm2, fish, $PATH addons, etc.) and that completed just fine and installed certifi==2019.3.9 Either there's just something wrong with my system (what?) or the initial experience for average user is broken (unlikely?)... |
More system info: My system site-packages for 3.7 now (after manual fix) contains ceritifi, pip (19.0.3), setuptools, pkg_resources, easy_install.py and README. |
At first glance, I'm not sure what happened here; we do try to make Install Certificates as bulletproof as possible. As you probably know, clicking on the file causes it to be opened with the macOS application that Launch Services determines is appropriate. By default, .command files are associated with Terminal.app (which can be verified by using the Finder's Get Info command on the .command file). Now apparently you have installed the fish shell (something Apple doesn't ship with macOS) and have changed Terminal.app's preferences or your user account to use fish as the default shell. The Install Certificates command is a shebang line that should cause it to be executed with the newly-installed Python and that seems to have happened. But then for some reason, the vendored urllib3 could not be imported correctly. If you were able to successfully run "Install Certificates.command" from a regular terminal window - without having reinstalled pip - that sounds like some sort of permissions problems which should not happen. Or some other sort of shell startup difference (although the script invokes python with -E to ignore PYTHON* env vars). Ah, but I now notice you say your normal terminal window is an iTerm2 one. So, if when double-clicking, the command file runs under Terminal.app but when you run in manually, it's under iTerm2, there *might* be some discrepancy there - I'm not sure what. One easy thing to try: now that certifi was successfully installed, what happens if you try rerunning the command by double-clicking it? Does it still fail in the same way? If so, it would be interesting to get more info on the environment the failing command is running in. Perhaps the easiest way to do that would be to make a copy of the command file and modify it to do: subprocess.check_call([sys.executable,
"-E", "-s", "-m", "test.pythoninfo"]) just prior to the check_call to install certifi. As it stands, I'm unable to reproduce the failure with a vanilla macOS system without intentionally modifying permissions etc. |
I've figured out what's going on: When Installer runs, it asks for user's su passwords, does a bunch of stuff, and then starts "Running package scripts". While it's "running scripts", towards the end of that process, with "about one minute remaining", the Finder window pops up. If "Install Certificates.command" is activated at that time, pip fails. However, if user waits for "running scripts" to complete, the pip succeeds. The "race" window is less than half a minute. Below are the examples of site packages listing during the race window:
I suspect that this is not a big deal in practice, because a new user would not know to run the command until instructed in the "installation completed" screen. Meanwhile, "experienced / trigger-happy" users probably know to run the command again :) P.S. I'm also wondering if it matters that installer asks for current user's su password and after a good installation, most content of site-packages is owned by root:admin, while certifi is owned by current user... For example |
Ah, thanks for the further analysis, that makes more sense! The current requirement to manually launch Install Certificates is obviously less than ideal so I think the best way to avoid the race condition here is to eliminate the manual step and have the certificates installed automatically. I've re-opened bpo-36344 to do that and am thus closing this issue as duplicate of it. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: