Skip to content

Comments

feat(pypi): insecure tls#4067

Merged
tdejager merged 17 commits intoprefix-dev:mainfrom
jamesfricker:feat/pypi-insecure-fix
Nov 24, 2025
Merged

feat(pypi): insecure tls#4067
tdejager merged 17 commits intoprefix-dev:mainfrom
jamesfricker:feat/pypi-insecure-fix

Conversation

@jamesfricker
Copy link
Contributor

@jamesfricker jamesfricker commented Jul 2, 2025
edited
Loading

Closes #3359

@tdejager tdejager changed the title Feat/pypi insecure fix feat: pypi insecure tls Jul 8, 2025
@tdejager
Copy link
Contributor

tdejager commented Jul 8, 2025

Hey @jamesfricker, this is already looking pretty good. Are you planning on continuing with this?

@jamesfricker
Copy link
Contributor Author

jamesfricker commented Jul 9, 2025

Hey @jamesfricker, this is already looking pretty good. Are you planning on continuing with this?

Hey @tdejager, I'm currently not able to properly test the implementation where I was having this issue. I think what is here should fix it, but I'm not able to verify the build in my environment. @benmoss may be interested

@benmoss
Copy link
Contributor

benmoss commented Jul 9, 2025

This works for me! I pushed a repro here: https://github.com/benmoss/pixi-tls-pypi-repro

On pixi 0.49.0:

$ ./repro.sh
+ rm -rf pixi.lock pixi.toml
+ pixi init
✔ Created /private/tmp/repro/pixi.toml
+ export SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ pixi add python --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
✔ Added python >=3.13.5,<3.14
+ pixi add cowpy --pypi --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
  ⠚ default:osx-arm64    [00:00:06] resolving pypi dependencies                                                                                             Error:   × failed to solve the pypi requirements of 'default' 'osx-arm64'
  ├─▶ failed to resolve pypi dependencies
  ├─▶ Failed to fetch: `https://pypi.org/simple/cowpy/`
  ├─▶ Request failed after 3 retries
  ├─▶ error sending request for url (https://pypi.org/simple/cowpy/)
  ├─▶ client error (Connect)
  ╰─▶ invalid peer certificate: UnknownIssuer

on a PR build:

 $ ./repro.sh
+ rm -rf pixi.lock pixi.toml
+ pixi init
✔ Created /private/tmp/repro/pixi.toml
+ export SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ pixi add python --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
✔ Added python >=3.13.5,<3.14
+ pixi add cowpy --pypi --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
 WARN TLS verification is disabled for PyPI operations. This is insecure and should only be used for testing or internal networks.
 WARN TLS verification is disabled for PyPI operations. This is insecure and should only be used for testing or internal networks.
✔ Added cowpy >=1.1.5, <2
Added these as pypi-dependencies.

@jamesfricker jamesfricker marked this pull request as ready for review July 10, 2025 01:36
@lucascolley lucascolley added enhancement New features pypi Issue related to PyPI dependencies labels Jul 21, 2025
@lucascolley lucascolley marked this pull request as draft July 29, 2025 10:52
@lucascolley lucascolley changed the title feat: pypi insecure tls feat(pypi): insecure tls Sep 8, 2025
@jamesfricker jamesfricker marked this pull request as ready for review September 16, 2025 23:08
@jmsmdy
Copy link

jmsmdy commented Nov 12, 2025

@jamesfricker @tdejager It looks like this was ready for review 2 months ago, and now needs to have merge conflicts resolved.

@jamesfricker
Merge remote-tracking branch 'upstream/main' into feat/pypi-insecure-fix
23f9219 
# Conflicts:
#	Cargo.lock
#	crates/pixi_core/src/lock_file/resolve/pypi.rs
#	crates/pixi_install_pypi/src/lib.rs
#	crates/pixi_uv_context/src/lib.rs
@jamesfricker
Apply Lefthook formatting fixes
85099b1
@jamesfricker
Fix format args in TLS tests
641c9ce
@jamesfricker
Copy link
Contributor Author

jamesfricker commented Nov 12, 2025

Yes @tdejager @jmsmdy this has been ready for some time now, still waiting for review...

@tdejager
Copy link
Contributor

tdejager commented Nov 19, 2025
edited
Loading

Oh sorry! It looks good to me, could we add some documentation for this though :)? There should be some global config options.

baszalmstra pushed a commit to baszalmstra/pixi that referenced this pull request Nov 21, 2025
@claude
docs: enhance tls-no-verify documentation for PyPI operations
7bd1785 
- Add comprehensive documentation for tls-no-verify configuration option
- Clarify that it affects both Conda and PyPI package operations
- Document common use cases (Windows cert issues, corporate networks, internal registries)
- Add configuration examples for global, local, and CLI usage
- Enhance pypi-config section to clarify allow-insecure-host vs tls-no-verify
- Add cross-references between related security options

This addresses the documentation request in PR prefix-dev#4067 for global
configuration options related to insecure TLS for PyPI operations.
@baszalmstra baszalmstra mentioned this pull request Nov 22, 2025
Closed
@tdejager
Copy link
Contributor

tdejager commented Nov 24, 2025

Ok finished up the PR:

  1. Removed, I think claude generated tests that made no sense :)
  2. Added some more documentation
  3. Also adds the download host to the trusted-hosts for the official PyPI index when --tls-no-verify is on.

I'll wait for CI and then I'll merge.

@tdejager tdejager merged commit f1e4b3e into prefix-dev:main Nov 24, 2025
41 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Dec 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tdejager tdejager tdejager approved these changes

Assignees

No one assigned

Labels

enhancement New features pypi Issue related to PyPI dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cert error with --pypi install on windows

5 participants

@jamesfricker @tdejager @benmoss @jmsmdy @lucascolley