`pip install --trusted-host` support

[stefanvanburen]

pip install has the trusted-host flag:

--trusted-host <hostname>   Mark this host or host:port pair as trusted, even though it does not have valid or any HTTPS.

Seems like a nice-to-have for uv pip install to also support this flag.

[zanieb]

Hi! Thanks for your feedback. Could you explain why this is valuable to you? Not saying we shouldn't have it, just want to learn more about use-cases.

[stefanvanburen]

Of course! I work on developing a PyPI-compatible repository that I'll occasionally run locally either without https or using self-signed certificates, in which case I need to supply the --trusted-host flag for the domain with our self-signed certs 😄. I'd also imagine that other users might occasionally need this for installing from internal PyPI mirrors, etc.

[zanieb]

Sweet thanks! We ran into something like this in https://github.com/astral-sh/uv/pull/609 / https://github.com/astral-sh/uv/pull/615

[atmartinezsf]

This is a need I have to use with an internal mirror/index. I would love to see this implemented.

[edwardpeek-crown]

This is perhaps tangential to this exact issue, but we'd like to see better support for secure connections to registries with custom CAs too.

Right now we see error trying to connect: invalid peer certificate: UnknownIssuer errors connecting to a organisation pypi mirror with a custom CA installed to the system cert store. pip provides the ability to set global.cert='/etc/ssl/certs/ca-certificates.crt' for this use case.

[zanieb]

Thanks @edwardpeek-crown ! I think we'll need to expose something like we explored in https://github.com/astral-sh/uv/pull/615

[atmartinezsf]

The method @edwardpeek-crown pointed to is the way we usually implement our local config, but trusted host would work for us. I would be happy to see either implementation to allow the use of an internal mirror/registry.

[mickael-mounier]

Hello, I have a similar need here. We're using an internal devpi repo with a certificate signed by an internal root CA. Those are trusted by my workstation's Windows certificate store but I'm still getting an invalid peer certificate: UnknownIssuer error. Uv is currently unuseable for us without a way to trust a host or provide some kind of certificate store.

Thank you!

[humanzz]

Coming from #1535 where I originally had a request for both PIP_INDEX_URL and PIP_TRUSTED_HOST. Looks like setting the index via an environment variable is supported via UV_INDEX_URL.

So, related to this request for --trusted-host, it'd be great to also have it configurable via an environment variable - maybe UV_TRUSTED_HOST which in my case I want to leverage with an non-https urls for the index e.g. UV_TRUSTED_HOST='127.0.0.1'

[edwardpeek-crown]

Linking #1474 which solved a similar use case for us.

[DesmondChoy]

+1 for uv to support trusted-host flag.

[sibarras]

+1. Waiting for this feature so we can use uv as the default in my work team.

[sovaa]

+1. Seems like a superb tool, but we can't use it in our team without trusted-host support.

[zanieb]

Please don't comment with +1s, just upvote the original post. We'd like to keep the issue focused on substantive discussion and updates on implementation for all those subscribed.

The next step here is a prototype of how we would accomplish this, i.e. reqwest supports allowing invalid certificates (https://github.com/seanmonstar/reqwest/issues/182#issuecomment-469997565) but I'm not sure how we can do that per host or request.

[zanieb]

I'd also like to see examples of tools other than pip that expose a flag to allow invalid certificates.

[sovaa]

E.g. Docker has a similar feature called --insecure-registry=http://... when pulling images.

[carlosjourdan]

--insecure-skip-tls-verify on kubectl

On Fri, Mar 29, 2024, 01:23 Zanie Blue @.***> wrote:

I'd also like to see examples of tools other than pip that expose a flag to allow invalid certificates.

— Reply to this email directly, view it on GitHub https://github.com/astral-sh/uv/issues/1339#issuecomment-2026624846, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEF5Z5E444MOIYQMYFWB5PDY2TUDVAVCNFSM6AAAAABDK6NKISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRWGYZDIOBUGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[carlosjourdan]

Hashicorp vault apparently also supports this with the environment variable VAULT_SKIP_VERIFY

[jasonwmcswain]

Where I work, there is an internal Pypi mirror which is also used to uploading our internal pypi packages. Unfortunately, IT has configured these hosts with "HTTP", so I have been providing both of the following args to our pip install commands. "--trusted-host" and "--extra-index-url".

Please add support for both, so that I can onboard to "uv". we are already using ruff, and it is blazing fast. I am very excited to use uv as well.

[carlosjourdan]

I believe that with http, if you remove the trusted-host and keep the extra-index-url, things should work fine. For me, the problem only arises on https with self signed certificates, which is common behind a corporate firewall.

On Tue, Apr 2, 2024, 13:01 Jason @.***> wrote:

Where I work, there is an internal Pypi mirror which is also used to uploading our internal pypi packages. Unfortunately, IT has configured these hosts with "HTTP", so I have been providing both of the following args to our pip install commands. "--trusted-host" and "--extra-index-url".

Please add support for both, so that I can onboard to "uv". we are already using ruff, and it is blazing fast. I am very excited to use uv as well.

— Reply to this email directly, view it on GitHub https://github.com/astral-sh/uv/issues/1339#issuecomment-2032451860, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEF5Z5C6XONT44KWK7IN3SLY3LI45AVCNFSM6AAAAABDK6NKISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZSGQ2TCOBWGA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[inoa-jboliveira]

but I'm not sure how we can do that per host or request.

You can check if the host is the same passed via --trusted-host and add the flag to reqwest. Also it is important to be explicit here instead of a catch-all command line argument to allow any certificate. It should be per host

[zanieb]

@inoa-jboliveira is there an API to do so per request? We use a shared client for all of the requests we make.

[inoa-jboliveira]

@zanieb

From a quick search, I believe you can create a impl ServerCertVerifier for CustomCertVerifier where you check for a list of allowed hosts from the command line and skip the validation of TLS certificate at that moment

let mut client_config = ClientConfig::builder()
    .with_custom_certificate_verifier(Arc::new(CustomCertVerifier {
        allowed_hosts: vec!["foo.com".into(), "bar.com".into()],
    }))

let client = Client::builder()
    .use_preconfigured_tls(client_config)
    .build()?;

[bashirmindee]

I am trying to use uv in a github workflow, and I am getting an error:

urllib.error.HTTPError: HTTP Error 403: SSL is required

seems to be related to this Issue. It seems that I need to use --trusted-host to solve my problem according to this stackoverflow response

[brks-rssll]

What is the current best workaround?

[inoa-jboliveira]

What is the current best workaround?

To still use pip instead of uv. Sadly this is the major blocker for us

[zanieb]

I'd accept a pull request adding this.

[SoundDesignerToBe]

+1

[fkapsahili]

Unfortunately, I also need this feature - I'll try to add this in a PR.

[aldmbmtl]

This is also currently a blocking feature that we need at our company. We LOVE uv and use it for a ton of our docker builds, but we have private devpi servers that we launch for testing on CI and uv won't install from them sadly.

I would happily submit a PR, but I don't know rust :(