From 8094b3f6db071df8f13ca79203057dde4d759f11 Mon Sep 17 00:00:00 2001
From: Grzegorz Bokota <bokota+github@gmail.com>
Date: Sat, 10 Oct 2020 18:24:15 +0200
Subject: [PATCH] Update macOS SSL certificates (#447)

Update macOS SSL certificates using latest `certifi` certificate bundle.

Co-authored-by: Yannick Jadoul <yannick.jadoul@belgacom.net>
Co-authored-by: Matthieu Darbois <mayeut@users.noreply.github.com>
---
 cibuildwheel/macos.py                     |  9 ++--
 cibuildwheel/resources/install_certifi.py | 52 +++++++++++++++++++++++
 cibuildwheel/util.py                      |  1 +
 test/test_ssl.py                          |  9 ++--
 4 files changed, 63 insertions(+), 8 deletions(-)
 create mode 100644 cibuildwheel/resources/install_certifi.py

diff --git a/cibuildwheel/macos.py b/cibuildwheel/macos.py
index bcd5bc8f3..ba93f0e6a 100644
--- a/cibuildwheel/macos.py
+++ b/cibuildwheel/macos.py
@@ -11,7 +11,7 @@
 from .environment import ParsedEnvironment
 from .util import (BuildOptions, BuildSelector, NonPlatformWheelError, download,
                    get_build_verbosity_extra_flags, get_pip_script,
-                   prepare_command)
+                   prepare_command, install_certifi_script)
 
 
 def call(args: Union[str, Sequence[Union[str, PathLike]]], env: Optional[Dict[str, str]] = None, cwd: Optional[str] = None, shell: bool = False) -> int:
@@ -72,6 +72,9 @@ def install_cpython(version: str, url: str) -> Path:
 
     # if this version of python isn't installed, get it from python.org and install
     python_package_identifier = f'org.python.Python.PythonFramework-{version}'
+    python_executable = 'python3' if version[0] == '3' else 'python'
+    installation_bin_path = Path(f'/Library/Frameworks/Python.framework/Versions/{version}/bin')
+
     if python_package_identifier not in installed_system_packages:
         # download the pkg
         download(url, Path('/tmp/Python.pkg'))
@@ -83,8 +86,8 @@ def install_cpython(version: str, url: str) -> Path:
             download(open_ssl_patch_url, Path('/tmp/python-patch.tar.gz'))
             call(['sudo', 'tar', '-C', f'/Library/Frameworks/Python.framework/Versions/{version}/', '-xmf', '/tmp/python-patch.tar.gz'])
 
-    installation_bin_path = Path(f'/Library/Frameworks/Python.framework/Versions/{version}/bin')
-    python_executable = 'python3' if version[0] == '3' else 'python'
+        call(["sudo", str(installation_bin_path/python_executable), str(install_certifi_script)])
+
     pip_executable = 'pip3' if version[0] == '3' else 'pip'
     make_symlinks(installation_bin_path, python_executable, pip_executable)
 
diff --git a/cibuildwheel/resources/install_certifi.py b/cibuildwheel/resources/install_certifi.py
new file mode 100644
index 000000000..8e87a5ec0
--- /dev/null
+++ b/cibuildwheel/resources/install_certifi.py
@@ -0,0 +1,52 @@
+# Based on: https://github.com/python/cpython/blob/master/Mac/BuildScript/resources/install_certificates.command
+
+# install_certifi.py
+#
+# sample script to install or update a set of default Root Certificates
+# for the ssl module.  Uses the certificates provided by the certifi package:
+#       https://pypi.org/project/certifi/
+
+import os
+import os.path
+import ssl
+import stat
+import subprocess
+import sys
+
+STAT_0o775 = (stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
+              | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
+              | stat.S_IROTH | stat.S_IXOTH)
+
+if sys.version_info[0] == 2:
+    FileNotFoundError = OSError
+
+
+def main():
+    openssl_dir, openssl_cafile = os.path.split(
+        ssl.get_default_verify_paths().openssl_cafile)
+    print(" -- pip install --upgrade certifi")
+    subprocess.check_call([sys.executable,
+                           "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])
+
+    import certifi
+    # change working directory to the default SSL directory
+    if sys.version_info[0:2] == (3, 5):
+        os.makedirs(openssl_dir, exist_ok=True, mode=0o775)
+    os.chdir(openssl_dir)
+    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
+
+    print(" -- removing any existing file or link")
+    try:
+        os.remove(openssl_cafile)
+    except FileNotFoundError:
+        pass
+    print(" -- creating symlink to certifi certificate bundle")
+    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
+
+    print(" -- setting permissions")
+    os.chmod(openssl_cafile, STAT_0o775)
+    print(" -- update complete")
+
+
+if __name__ == '__main__':
+    main()
diff --git a/cibuildwheel/util.py b/cibuildwheel/util.py
index 891f0f283..63a5ee0e6 100644
--- a/cibuildwheel/util.py
+++ b/cibuildwheel/util.py
@@ -127,6 +127,7 @@ class BuildOptions(NamedTuple):
 
 resources_dir = Path(__file__).resolve().parent / 'resources'
 get_pip_script = resources_dir / 'get-pip.py'
+install_certifi_script = resources_dir / "install_certifi.py"
 
 
 class NonPlatformWheelError(Exception):
diff --git a/test/test_ssl.py b/test/test_ssl.py
index 4ade9bb84..45f514efa 100644
--- a/test/test_ssl.py
+++ b/test/test_ssl.py
@@ -13,11 +13,10 @@
         else:
             from urllib.request import urlopen
 
-        if sys.version_info[0:2] == (3, 3):
-            data = urlopen("https://www.nist.gov")
-        else:
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
-            data = urlopen("https://www.nist.gov", context=context)
+        context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+        data = urlopen("https://www.nist.gov", context=context)
+        data = urlopen("https://raw.githubusercontent.com/joerick/cibuildwheel/master/CI.md", context=context)
+        data = urlopen("https://raw.githubusercontent.com/joerick/cibuildwheel/master/CI.md")
     ''')
 )