sslutil: guard against broken certifi installations (issue5406) stable
authorGábor Stefanik <gabor.stefanik@nng.com>
Wed, 19 Oct 2016 18:06:14 +0200
branchstable
changeset 30228 b9f7b0c10027
parent 30227 5ee944b9c750
child 30229 69ffbbe73dd0
sslutil: guard against broken certifi installations (issue5406) Certifi is currently incompatible with py2exe; the Python code for certifi gets included in library.zip, but not the cacert.pem file - and even if it were included, SSLContext can't load a cacert.pem file from library.zip. This currently makes it impossible to build a standalone Windows version of Mercurial. Guard against this, and possibly other situations where a module with the name "certifi" exists, but is not usable.
mercurial/sslutil.py
--- a/mercurial/sslutil.py	Tue Oct 25 18:56:27 2016 +0200
+++ b/mercurial/sslutil.py	Wed Oct 19 18:06:14 2016 +0200
@@ -690,14 +690,15 @@
     We don't print a message when the Python is able to load default
     CA certs because this scenario is detected at socket connect time.
     """
-    # The "certifi" Python package provides certificates. If it is installed,
-    # assume the user intends it to be used and use it.
+    # The "certifi" Python package provides certificates. If it is installed
+    # and usable, assume the user intends it to be used and use it.
     try:
         import certifi
         certs = certifi.where()
-        ui.debug('using ca certificates from certifi\n')
-        return certs
-    except ImportError:
+        if os.path.exists(certs):
+            ui.debug('using ca certificates from certifi\n')
+            return certs
+    except (ImportError, AttributeError):
         pass
 
     # On Windows, only the modern ssl module is capable of loading the system