-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use the 'SecTrustEvaluate' API for macOS 10.13 and earlier #157
Conversation
Co-authored-by: =?UTF-8?q?Ren=C3=A9=20Dudfield?= <renesd@gmail.com>
ed7756c
to
61f7830
Compare
147266f
to
45aaa05
Compare
Failures are the same as on main (which I need to look at too, looks like aiohttp may have changed?) |
@illume Are you able to review this implementation and test it on your machine? |
Security.SecTrustEvaluate(sec_trust_ref, ctypes.byref(sec_trust_result_type)) | ||
|
||
try: | ||
sec_trust_result_type_as_int = int(sec_trust_result_type.value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good. If there was a link in #156 to here, that would have saved me some time to find this. See my comments there (and maybe close that PR if you have a superseding one).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested your changes on macOS 10.12 by copying the _macos.py
from this changeset over the dysfunctional one bundled with pip 24.2, that made pip work again!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested your changes on macOS 10.12 by copying the _macos.py from this changeset over the dysfunctional one bundled with pip 24.2, that made pip work again!
@ThomasWaldmann awesome, thank you! Could you also run the test suite on your machine? That would help me immensely. |
@sethmlarson guess I could do that. but there are failures even on current macOS (see CI). shall I just post the test log output here? |
Strange, now I needed this to have it not immediately crash:
I also improved the ImportError msg to be more helpful. |
Log output after the change mentioned above (macOS 10.12 Intel):
|
BTW, I had difficulties running this with nox as it always pulled in a broken pip again. This fix should really go into next pip release to fix these pains (all was fine until pip 24.2). Also it needs to get bundled into the recent python releases that bundled the broken pip 24.2. |
src/truststore/_macos.py
Outdated
0: "Invalid trust result type", | ||
# 1: "Trust evaluation succeeded", | ||
2: "Trust was explicitly denied", | ||
3: "Fatal trust failure occurred", | ||
# 4: "Trust result is unspecified (but trusted)", | ||
5: "Recoverable trust failure occurred", | ||
6: "Unknown error occurred", | ||
7: "User confirmation required", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Difficult to find something about these numerical codes.
https://opensource.apple.com/source/Security/Security-55471/sec/Security/SecTrust.h.auto.html says
typedef uint32_t SecTrustResultType;
enum {
kSecTrustResultInvalid = 0,
kSecTrustResultProceed = 1,
kSecTrustResultConfirm SEC_DEPRECATED_ATTRIBUTE = 2,
kSecTrustResultDeny = 3,
kSecTrustResultUnspecified = 4,
kSecTrustResultRecoverableTrustFailure = 5,
kSecTrustResultFatalTrustFailure = 6,
kSecTrustResultOtherError = 7
};
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this, it's quite frustrating that these values aren't documented in Apple's own API documentation.
BTW, I tried to install brew pulls in Then I tried to |
Can brew be told to use a system-installed Go? If so you should still be able to download the Go 1.16 installer (expanding "Archived versions" at the bottom), or (if you're willing to do some bootstrapping) build a local one from source into your $HOME. |
@andlabs brew won't discover/use a system-installed Go, it will just keep trying to pull in the one from the dependencies of mkcert brew package. But your hint was helpful. I installed 1.16.x pkg from the Go site and did a manual install of |
@sethmlarson Updated test output (now including the tests needing mkcert): The code still was using the patch mentioned above: #157 (comment) |
Thanks much @ThomasWaldmann for fixing the |
@sethmlarson Did you check #157 (comment) ? Without that, I could not run the tests because the imports already failed. |
Thanks @ThomasWaldmann, I didn't see that patch. Does everything look good now? |
@sethmlarson Looks good (tested on macOS 10.12 64bit):
I didn't investigate the test fails, guess you'll know better. :-) |
Hey folks. Awesome work, and thanks a lot for fixing this. 🎉 There's at least one classroom full of donated old macs that will appreciate this. |
Closes #119. This uses the patch provided by @illume as a baseline.