From 7a163dae4da86c57371b9037ce748b82931ba44f Mon Sep 17 00:00:00 2001 From: Nirbheek Chauhan Date: Sat, 2 Jul 2022 05:33:40 +0530 Subject: [PATCH] meson: Improve certifi documentation on macOS First, just installing certifi doesn't install the ca-cert in the right location. The `Install Certificates.command` script also symlinks the openssl cert.pem to the certifi ca cert file Second, we can make it more likely that users will notice this if we make it a warning. If we ever get a bug report about this despite these measures, we can try to make this an error. Part-of: --- README.md | 8 ++++---- meson.build | 14 ++++++++++++++ 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c727de1db5..9d5d79bd99 100644 --- a/README.md +++ b/README.md @@ -54,14 +54,14 @@ binary in your PATH. You can find [instructions for Windows below](#windows-prerequisites-setup). -On macOS, you might need to execute "Install Certificates.command" from -the Python folder in the user Applications folder or install it manually: +On macOS, you might need to execute "Install Certificates.command" from the +Python folder in the user Applications folder: ``` - $ pip3 install certifi +$ /Applications/Python\ 3.*/Install\ Certificates.command ``` -It will solve this issue: +Otherwise you will get this error when downloading meson wraps: ``` urllib.error.URLError: urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed diff --git a/meson.build b/meson.build index 619341adb8..3967832f92 100644 --- a/meson.build +++ b/meson.build @@ -48,6 +48,20 @@ if build_system == 'windows' and meson.version().version_compare('<0.60.0') endif endif +# On macOS, you have to run "Install Certificates.command" otherwise Python +# doesn't have access to the latest SSL CA Certificates, and Meson will fail to +# download wrap files from websites that use, for example, Let's Encrypt. +# We already recommend this in the README, but add a warning here as well. +# Can't make this an error because the user might be using XCode's Python +# 3 which doesn't have this script. +if build_system == 'darwin' + python3_cacert_file = python3.get_path('data') / 'etc/openssl/cert.pem' + install_cert_cmd = '/Applications/Python @0@/Install Certificates.command'.format(python3.language_version()) + if not fs.is_symlink(python3_cacert_file) and fs.is_file(install_cert_cmd) + warning('Please run "@0@" so that Python has access to the latest SSL certificates. Meson might fail to download some wraps without it.'.format(install_cert_cmd)) + endif +endif + documented_projects = '' # Make it possible to use msys2 built zlib which fails # when not using the mingw toolchain as it uses unistd.h