`install-program` may fail due to dependency on `cacert.pem`

❔ What are you experiencing an issue with?

Development Issue

❔ Version

https://github.com/TheDcoder/install.doctor/tree/cert-path

🐞 Description

Assuming that #90 is merged, we have an issue where install-program may fail due to chezmoi not having downloaded the CA certificate bundle (.local/etc/ssl/curl/cacert.pem) from home/.chezmoiexternal.toml.tmpl.

I was able to replicate this during testing, here's the partial output from install-program which occurs in the ensurePackageManagerAnsible function:

$ pipx install ansible-core
creating virtual environment...
creating shared libraries...
upgrading shared libraries...
ERROR: Could not install packages due to an OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /home/john/.local/share/curl/cacert.pem

Failed to upgrade shared libraries
Traceback (most recent call last):
  File "/home/linuxbrew/.linuxbrew/Cellar/pipx/1.2.0/libexec/lib/python3.11/site-packages/pipx/shared_libs.py", line 113, in upgrade
    subprocess_post_check(upgrade_process)
  File "/home/linuxbrew/.linuxbrew/Cellar/pipx/1.2.0/libexec/lib/python3.11/site-packages/pipx/util.py", line 203, in subprocess_post_check
    raise PipxError(
pipx.util.PipxError: '/home/john/.local/pipx/shared/bin/python -m pip --disable-pip-version-check
install --force-reinstall -q --upgrade pip setuptools wheel' failed
installing ansible-core...
Fatal error from pip prevented installation. Full pip output in file:
    /home/john/.local/pipx/logs/cmd_2023-08-16_21.18.33_1_pip_errors.log

Some possibly relevant errors from pip install:
    ERROR: Could not install packages due to an OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /home/john/.local/share/curl/cacert.pem
Error installing ansible-core.

Error: creating virtual environment...
creating shared libraries...
upgrading shared libraries...
ERROR: Could not install packages due to an OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /home/john/.local/share/curl/cacert.pem

Failed to upgrade shared libraries
Traceback (most recent call last):
  File "/home/linuxbrew/.linuxbrew/Cellar/pipx/1.2.0/libexec/lib/python3.11/site-packages/pipx/shared_libs.py", line 113, in upgrade
    subprocess_post_check(upgrade_process)
  File "/home/linuxbrew/.linuxbrew/Cellar/pipx/1.2.0/libexec/lib/python3.11/site-packages/pipx/util.py", line 203, in subprocess_post_check
    raise PipxError(
pipx.util.PipxError: '/home/john/.local/pipx/shared/bin/python -m pip --disable-pip-version-check
install --force-reinstall -q --upgrade pip setuptools wheel' failed
installing ansible-core...
Fatal error from pip prevented installation. Full pip output in file:
    /home/john/.local/pipx/logs/cmd_2023-08-16_21.18.33_1_pip_errors.log

Some possibly relevant errors from pip install:
    ERROR: Could not install packages due to an OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /home/john/.local/share/curl/cacert.pem
Error installing ansible-core.
    at ensurePackageManagerAnsible (file:///home/john/.local/bin/install-program.mjs:857:10)
    exit code: 1

I went through chezmoi's reference and user guide but I couldn't find any useful info as to when the externals are exactly downloaded, my current guess is that it happens during or after the scripts are ran, which may require us to move the CA certs out of externals and use an alternate mechanism to download them in advance before the install script is ran.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

A possible solution is to download it in install-program itself if it doesn't exist already.

megabyte-labs / install.doctor