fix: Resolve ca-certificates installed in the local environment

jjerphan · jjerphan · commit 091170fac1d8 · 2025-11-24T17:13:06.000+01:00
Signed-off-by: Julien Jerphanion &lt;git@jjerphan.xyz&gt;
diff --git a/libmamba/src/download/downloader.cpp b/libmamba/src/download/downloader.cpp
@@ -8,6 +8,7 @@
 #include "mamba/core/invoke.hpp"
 #include "mamba/core/thread_utils.hpp"
 #include "mamba/core/util.hpp"
+#include "mamba/core/util_os.hpp"
 #include "mamba/core/util_scope.hpp"
 #include "mamba/download/downloader.hpp"
 #include "mamba/util/build.hpp"
@@ -84,19 +85,41 @@ namespace mamba::download
                 // from `conda-forge::ca-certificates` and the system CA certificates.
                 else if (remote_fetch_params.ssl_verify == "<system>")
                 {
-                    // Use the CA certificates from `conda-forge::ca-certificates` installed in the
-                    // root prefix or the system CA certificates if the certificate is not present.
-                    fs::u8path root_prefix = detail::get_root_prefix();
-                    fs::u8path env_prefix_conda_cert = root_prefix / "ssl" / "cacert.pem";
+                    fs::u8path libmamba_path = get_libmamba_path();
+                    // Find the supposed environment prefix of libmamba.
+                    // `libmamba` is installed at:
+                    //    - `${PREFIX}/lib/libmamba${SHLIB_EXT}`  on Unix
+                    //    - `${PREFIX}/Library/bin/libmamba$.dll` on Windows
+                    fs::u8path libmamba_env_prefix = fs::weakly_canonical(
+                        util::on_win ? libmamba_path.parent_path().parent_path().parent_path()
+                                     : libmamba_path.parent_path().parent_path()
+                    );
+                    fs::u8path env_prefix_conda_cert = libmamba_env_prefix / "ssl" / "cacert.pem";
 
-                    LOG_INFO << "Checking for CA certificates at the root prefix: "
+                    LOG_INFO << "Checking for CA certificates in the same environment as the libmamba installation: "
                              << env_prefix_conda_cert;
 
                     if (fs::exists(env_prefix_conda_cert))
                     {
-                        LOG_INFO << "Using CA certificates from `conda-forge::ca-certificates` installed in the root prefix "
+                        LOG_INFO << "Using CA certificates from the same prefix as the libmamba installation "
                                  << "(i.e " << env_prefix_conda_cert << ")";
                         remote_fetch_params.ssl_verify = env_prefix_conda_cert;
+                        return;
+                    }
+
+                    // Try to use the CA certificates from `conda-forge::ca-certificates` installed
+                    // in the root prefix.
+                    fs::u8path root_prefix = detail::get_root_prefix();
+                    fs::u8path root_prefix_conda_cert = root_prefix / "ssl" / "cacert.pem";
+
+                    LOG_INFO << "Checking for CA certificates at the root prefix: "
+                             << root_prefix_conda_cert;
+
+                    if (fs::exists(root_prefix_conda_cert))
+                    {
+                        LOG_INFO << "Using CA certificates from `conda-forge::ca-certificates` installed in the root prefix "
+                                 << "(i.e " << root_prefix_conda_cert << ")";
+                        remote_fetch_params.ssl_verify = root_prefix_conda_cert;
                         remote_fetch_params.curl_initialized = true;
                         return;
                     }
diff --git a/micromamba/tests/test_env.py b/micromamba/tests/test_env.py
@@ -525,3 +525,18 @@ def test_env_export_with_pip(tmp_path, json_flag):
     # Check that `requests` and `urllib3` (pulled dependency) are exported
     assert "requests==2.32.3" in pip_section_vals
     assert any(pkg.startswith("urllib3==") for pkg in pip_section_vals)
+
+
+def test_env_export_with_ca_certificates(tmp_path):
+    # CA certificates in the same environment as `libmamba` installation are used by default.
+    tmp_env_prefix = tmp_path / "env-export-with-ca-certificates"
+
+    helpers.create("-p", tmp_env_prefix, "ca-certificates", no_dry_run=True)
+
+    # Copy the `micromamba` executable in this prefix `bin` subdirectory
+    shutil.copy(helpers.get_umamba(), tmp_env_prefix / "bin" / "micromamba")
+
+    # Run a command using mamba in verbose mode and check that the logs contain the
+    # message "Using CA certificates from the same prefix as the libmamba installation"
+    output = helpers.umamba_run("-p", tmp_env_prefix, "micromamba", "search", "python", "-vvv")
+    assert "Using CA certificates from the same prefix as the libmamba installation" in output
