From b8791867278b0c6fb33ec3f574acca3b0c2e0d20 Mon Sep 17 00:00:00 2001
From: Gregory James Comer <gjcomer@meta.com>
Date: Thu, 10 Apr 2025 19:19:22 -0700
Subject: [PATCH] Use certifi certs for buck download

---
 tools/cmake/resolve_buck.py | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/tools/cmake/resolve_buck.py b/tools/cmake/resolve_buck.py
index 6da0a81b6de..cd83dac76e0 100644
--- a/tools/cmake/resolve_buck.py
+++ b/tools/cmake/resolve_buck.py
@@ -9,6 +9,7 @@
 import argparse
 import os
 import platform
+import ssl
 import stat
 import sys
 import urllib.request
@@ -18,6 +19,7 @@
 from typing import Sequence, Union
 
 import buck_util
+import certifi
 import zstd
 
 """
@@ -201,26 +203,23 @@ def resolve_buck2(args: argparse.Namespace) -> Union[str, int]:
             if os.path.isfile(buck2_local_path):
                 return buck2_local_path
 
-            buck2_archive_url = f"https://github.com/facebook/buck2/releases/download/{target_buck_version}/{buck_info.archive_name}"
+        buck2_archive_url = f"https://github.com/facebook/buck2/releases/download/{target_buck_version}/{buck_info.archive_name}"
 
-            try:
-                print(f"Downloading buck2 from {buck2_archive_url}...", file=sys.stderr)
-                archive_file, _ = urllib.request.urlretrieve(buck2_archive_url)
+        print(f"Downloading buck2 from {buck2_archive_url}...", file=sys.stderr)
+        ssl_context = ssl.create_default_context(cafile=certifi.where())
 
-                # Extract and chmod.
-                with open(archive_file, "rb") as f:
-                    data = f.read()
-                    decompressed_bytes = zstd.decompress(data)
+        with urllib.request.urlopen(buck2_archive_url, context=ssl_context) as request:
+            # Extract and chmod.
+            data = request.read()
+            decompressed_bytes = zstd.decompress(data)
 
-                with open(buck2_local_path, "wb") as f:
-                    f.write(decompressed_bytes)
+            with open(buck2_local_path, "wb") as f:
+                f.write(decompressed_bytes)
 
-                file_stat = os.stat(buck2_local_path)
-                os.chmod(buck2_local_path, file_stat.st_mode | stat.S_IEXEC)
-            finally:
-                os.remove(archive_file)
+        file_stat = os.stat(buck2_local_path)
+        os.chmod(buck2_local_path, file_stat.st_mode | stat.S_IEXEC)
 
-            return buck2_local_path
+    return buck2_local_path
 
 
 def main():