When installing build dependencies, the `--cert` command line flag is not used in sub processes

[AtomBaf]

Description

From a corporate platform, I tried to install gym which would need some build dependencies to be installed. pip install --no-cache-dir --index-url="$MY_INDEX" --extra-index-url="$MY_EXTRA_INDEX" --cert="$MY_CERT_PATH" gym

gym is then correctly downloaded, but the build dependencies are failing with a CERTIFICATE_VERIFY_FAILED

Expected behavior

I should not have a CERTIFICATE_VERIFY_FAILED error because the --cert is explicit in the command-line

pip version

22.2.2

Python version

3.8.12

OS

Rocky Linux 8

How to Reproduce

1. Setup a package repository with a custom self-signed SSL certificate (or 2 repositories, does
2. Try to install gym pip install --no-cache-dir --index-url="$MY_INDEX" --extra-index-url="$MY_EXTRA_INDEX" --cert="$MY_CERT_PATH" gym

Output

Here is the output (with some redacted urls):

Collecting gym
  Downloading https://XXXXXXXXXXX/pypi/pypi/packages/packages/f1/67/ca925439eec51e1e6b5dab6c7412c367b7d9bc5c6c3fa9c8968146d80b8b/gym-0.26.1.tar.gz (719 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 719.9/719.9 kB 7.1 MB/s eta 0:00:00
  Installing build dependencies: started
  Installing build dependencies: finished with status 'error'
  error: subprocess-exited-with-error
  
  × pip subprocess to install build dependencies did not run successfully.
  │ exit code: 1
  ╰─> [15 lines of output]
      Looking in indexes: https://XXXXXXXXXXX/pypi/pypi/simple, https://YYYYYYYYY/pypi/simple
      WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))': .../pypi/pypi/simple/setuptools/

Code of Conduct

• [X] I agree to follow the PSF Code of Conduct.

[Dad0u]

I can confirm that i am affected by this bug too using pip 23.2.1

pip install --cert <my-ca-cert> git+https://<internal url to package A>.git works only if package A does not have dependencies that also require the certificate.

If the package has a dependency, say install_requires = ["package_b @ git+https://<internal url to package B>.git"] in pyproject.toml of package A, the pip subprocess installing package B will fail as the --cert option is not passed down to the subprocess.

[StavrosD]

I have the same problem with "--use-feature truststore". It does not propagate to subprocess.

[jle-pass]

+1

Temporary workaround (add variables key=value in front of each pip install command):

REQUESTS_CA_BUNDLE="$MY_EXTRA_INDEX" PIP_CERT="$MY_EXTRA_INDEX" CURL_CA_BUNDLE="$MY_EXTRA_INDEX" pip install ...

or in Dockerfile (add variables key=value between RUN and each pip install command):

RUN REQUESTS_CA_BUNDLE="$MY_EXTRA_INDEX" PIP_CERT="$MY_EXTRA_INDEX" CURL_CA_BUNDLE="$MY_EXTRA_INDEX" pip install ...

(undoubtedly optimizable via a .bashrc or an alias or an env file)

Source: https://pip.pypa.io/en/stable/topics/https-certificates/

The --cert option (and the corresponding PIP_CERT environment variable) allow users to specify a different certificate store/bundle for pip to use. It is also possible to use REQUESTS_CA_BUNDLE or CURL_CA_BUNDLE environment variables.