Skip to content

feat: pypi insecure tls #4067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

jamesfricker
Copy link

@jamesfricker jamesfricker commented Jul 2, 2025

Closes #3359

@tdejager tdejager changed the title Feat/pypi insecure fix feat: pypi insecure tls Jul 8, 2025
@tdejager
Copy link
Contributor

tdejager commented Jul 8, 2025

Hey @jamesfricker, this is already looking pretty good. Are you planning on continuing with this?

@jamesfricker
Copy link
Author

Hey @jamesfricker, this is already looking pretty good. Are you planning on continuing with this?

Hey @tdejager, I'm currently not able to properly test the implementation where I was having this issue. I think what is here should fix it, but I'm not able to verify the build in my environment. @benmoss may be interested

@benmoss
Copy link

benmoss commented Jul 9, 2025

This works for me! I pushed a repro here: https://github.com/benmoss/pixi-tls-pypi-repro

On pixi 0.49.0:

$ ./repro.sh
+ rm -rf pixi.lock pixi.toml
+ pixi init
✔ Created /private/tmp/repro/pixi.toml
+ export SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ pixi add python --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
✔ Added python >=3.13.5,<3.14
+ pixi add cowpy --pypi --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
  ⠚ default:osx-arm64    [00:00:06] resolving pypi dependencies                                                                                             Error:   × failed to solve the pypi requirements of 'default' 'osx-arm64'
  ├─▶ failed to resolve pypi dependencies
  ├─▶ Failed to fetch: `https://pypi.org/simple/cowpy/`
  ├─▶ Request failed after 3 retries
  ├─▶ error sending request for url (https://pypi.org/simple/cowpy/)
  ├─▶ client error (Connect)
  ╰─▶ invalid peer certificate: UnknownIssuer

on a PR build:

 $ ./repro.sh
+ rm -rf pixi.lock pixi.toml
+ pixi init
✔ Created /private/tmp/repro/pixi.toml
+ export SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ pixi add python --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
✔ Added python >=3.13.5,<3.14
+ pixi add cowpy --pypi --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
 WARN TLS verification is disabled for PyPI operations. This is insecure and should only be used for testing or internal networks.
 WARN TLS verification is disabled for PyPI operations. This is insecure and should only be used for testing or internal networks.
✔ Added cowpy >=1.1.5, <2
Added these as pypi-dependencies.

@jamesfricker jamesfricker marked this pull request as ready for review July 10, 2025 01:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cert error with --pypi install on windows
3 participants