pixi icon indicating copy to clipboard operation
pixi copied to clipboard
verified publisher icon prefix-dev

feat(pypi): insecure tls

Open jamesfricker opened this issue 6 months ago • 5 comments

Closes https://github.com/prefix-dev/pixi/issues/3359

jamesfricker avatar Jul 02 '25 05:07 jamesfricker

Hey @jamesfricker, this is already looking pretty good. Are you planning on continuing with this?

tdejager avatar Jul 08 '25 14:07 tdejager

Hey @jamesfricker, this is already looking pretty good. Are you planning on continuing with this?

Hey @tdejager, I'm currently not able to properly test the implementation where I was having this issue. I think what is here should fix it, but I'm not able to verify the build in my environment. @benmoss may be interested

jamesfricker avatar Jul 09 '25 02:07 jamesfricker

This works for me! I pushed a repro here: https://github.com/benmoss/pixi-tls-pypi-repro

On pixi 0.49.0:

$ ./repro.sh
+ rm -rf pixi.lock pixi.toml
+ pixi init
✔ Created /private/tmp/repro/pixi.toml
+ export SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ pixi add python --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
✔ Added python >=3.13.5,<3.14
+ pixi add cowpy --pypi --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
  ⠚ default:osx-arm64    [00:00:06] resolving pypi dependencies                                                                                             Error:   × failed to solve the pypi requirements of 'default' 'osx-arm64'
  ├─▶ failed to resolve pypi dependencies
  ├─▶ Failed to fetch: `https://pypi.org/simple/cowpy/`
  ├─▶ Request failed after 3 retries
  ├─▶ error sending request for url (https://pypi.org/simple/cowpy/)
  ├─▶ client error (Connect)
  ╰─▶ invalid peer certificate: UnknownIssuer

on a PR build:

 $ ./repro.sh
+ rm -rf pixi.lock pixi.toml
+ pixi init
✔ Created /private/tmp/repro/pixi.toml
+ export SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ SSL_CERT_FILE=/private/tmp/repro/example.com.pem
+ pixi add python --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
✔ Added python >=3.13.5,<3.14
+ pixi add cowpy --pypi --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
 WARN TLS verification is disabled for PyPI operations. This is insecure and should only be used for testing or internal networks.
 WARN TLS verification is disabled for PyPI operations. This is insecure and should only be used for testing or internal networks.
✔ Added cowpy >=1.1.5, <2
Added these as pypi-dependencies.

benmoss avatar Jul 09 '25 18:07 benmoss

@jamesfricker @tdejager It looks like this was ready for review 2 months ago, and now needs to have merge conflicts resolved.

jmsmdy avatar Nov 12 '25 04:11 jmsmdy

Yes @tdejager @jmsmdy this has been ready for some time now, still waiting for review...

jamesfricker avatar Nov 12 '25 07:11 jamesfricker

Oh sorry! It looks good to me, could we add some documentation for this though :)? There should be some global config options.

tdejager avatar Nov 19 '25 10:11 tdejager

Ok finished up the PR:

  1. Removed, I think claude generated tests that made no sense :)
  2. Added some more documentation
  3. Also adds the download host to the trusted-hosts for the official PyPI index when --tls-no-verify is on.

I'll wait for CI and then I'll merge.

tdejager avatar Nov 24 '25 08:11 tdejager