Bug 1582726 - use cafile from certifi when available r=dustin a=bustage-fix
authorRob Thijssen <rthijssen@mozilla.com>
Thu, 26 Sep 2019 09:17:15 +0000
changeset 451329 4781f272d58a908e3df3143713feb57d2dbd1e90
parent 451328 c3926dab0f2c8e858417020092e64f5e88fe57cd
child 451330 895c3febaf063643a265e0d2e670beb8890a402b
child 451335 5ed158a795f6468f0d83541040cdd07c96faee9b
push id507
push useraiakab@mozilla.com
push dateTue, 01 Oct 2019 15:23:41 +0000
treeherdermozilla-esr60@4781f272d58a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdustin, bustage-fix
Bug 1582726 - use cafile from certifi when available r=dustin a=bustage-fix python's `urllib.request.urlopen(url)` can fail when a system doesn't know how to verify a ca certificate. this patch makes use of the cafile provided by the `certifi` module, if/when it is installed, to verify certificates. Differential Revision: https://phabricator.services.mozilla.com/D47044
--- a/taskcluster/scripts/misc/fetch-content
+++ b/taskcluster/scripts/misc/fetch-content
@@ -20,16 +20,21 @@ import tempfile
 import time
 import urllib.request
     import zstandard
 except ImportError:
     zstandard = None
+    import certifi
+except ImportError:
+    certifi = None
 CONCURRENCY = multiprocessing.cpu_count()
 def log(msg):
     print(msg, file=sys.stderr)
@@ -127,17 +132,17 @@ def stream_download(url, sha256=None, si
     on after the generator is exhausted without raising.
     log('Downloading %s' % url)
     h = hashlib.sha256()
     length = 0
     t0 = time.time()
-    with urllib.request.urlopen(url) as fh:
+    with urllib.request.urlopen(url, cafile=certifi.where()) if certifi else urllib.request.urlopen(url) as fh:
         if not url.endswith('.gz') and fh.info().get('Content-Encoding') == 'gzip':
             fh = gzip.GzipFile(fileobj=fh)
         while True:
             chunk = fh.read(65536)
             if not chunk: