Use truststore without code change

[bendem]

I'm deploying scripts and applications which I don't have control of, using system trust should be the default for all those applications.

As a sysadmin, can I somehow force a python script to use truststore without modifying it?

[davisagli]

I appreciate this use case and agree it would be nice if there were a simple way to do it. The challenges are replacing the stdlib SSLContext in the correct modules (which is hard to do generally without knowing what libraries you want to target) and making sure that happens early enough (before members of those modules are imported anywhere else).

It might be possible to use the sitecustomize module or some .pth file hack to replace SSLContext in the ssl module early during Python startup. We intentionally don't do that in truststore itself, since some users would like to use it in a more targeted fashion.

[sethmlarson]

@bendem Another option would be to evaluate pip-system-certs package which doesn't have the full set of abilities that Truststore does, but instead loads all system certificates at the time of install into certifi's bundle. This might work for your use-case, but doesn't have the ability to auto-update certificates like Truststore does.