Open AtomBaf opened 1 year ago
I can confirm that i am affected by this bug too using pip 23.2.1
pip install --cert <my-ca-cert> git+https://<internal url to package A>.git
works only if package A does not have dependencies that also require the certificate.
If the package has a dependency, say install_requires = ["package_b @ git+https://<internal url to package B>.git"]
in pyproject.toml of package A, the pip subprocess installing package B will fail as the --cert option is not passed down to the subprocess.
I have the same problem with "--use-feature truststore". It does not propagate to subprocess.
+1
Temporary workaround (add variables key=value in front of each pip install command):
REQUESTS_CA_BUNDLE="$MY_EXTRA_INDEX" PIP_CERT="$MY_EXTRA_INDEX" CURL_CA_BUNDLE="$MY_EXTRA_INDEX" pip install ...
or in Dockerfile (add variables key=value between RUN and each pip install command):
RUN REQUESTS_CA_BUNDLE="$MY_EXTRA_INDEX" PIP_CERT="$MY_EXTRA_INDEX" CURL_CA_BUNDLE="$MY_EXTRA_INDEX" pip install ...
(undoubtedly optimizable via a .bashrc or an alias or an env file)
Source: https://pip.pypa.io/en/stable/topics/https-certificates/
The
--cert
option (and the correspondingPIP_CERT
environment variable) allow users to specify a different certificate store/bundle for pip to use. It is also possible to useREQUESTS_CA_BUNDLE
orCURL_CA_BUNDLE
environment variables.
Description
From a corporate platform, I tried to install
gym
which would need some build dependencies to be installed.pip install --no-cache-dir --index-url="$MY_INDEX" --extra-index-url="$MY_EXTRA_INDEX" --cert="$MY_CERT_PATH" gym
gym
is then correctly downloaded, but the build dependencies are failing with aCERTIFICATE_VERIFY_FAILED
Expected behavior
I should not have a
CERTIFICATE_VERIFY_FAILED
error because the--cert
is explicit in the command-linepip version
22.2.2
Python version
3.8.12
OS
Rocky Linux 8
How to Reproduce
gym
pip install --no-cache-dir --index-url="$MY_INDEX" --extra-index-url="$MY_EXTRA_INDEX" --cert="$MY_CERT_PATH" gym
Output
Here is the output (with some redacted urls):
Code of Conduct