Install truststore and certifi modules with pip

[greatvovan]

Update

truststore is already bundled with pip starting v23.3 (thanks ichard26), which is higher than the described in the request.
It seems like only the documentation needs to be updates as it confusingly mentions version 22.2.

Certifi is also bundled with pip.

What's the problem this feature will solve?

In my company there is a practice of decrypting SSL traffic, which is achieved by means of installing company's CA certificate on user machines that serves as the new root for the decrypted traffic.

Pip documentation honestly says it does not use system's certificate store and uses the curated collection from certifi.

As advertised in the documentation, --use-feature=truststore is supposed to fix certificate validation problem when the proper root certificate is installed in the OS CA store. However, when tried in a fresh Python installation, the user gets the error:

# pip install --use-feature=truststore --upgrade pip
ERROR: To use the truststore feature, 'truststore' must be installed into pip's current environment.

"When to use" section of the documentation suggest the following use case for this feature:

You should try using system trust stores when there is a custom certificate chain configured for your system that pip isn’t aware of.

This is my case, and I have the company's root certificate in /etc/ssl/certs, but in order to use it, I need to install truststore package first. Thus, it becomes a chicken-and-egg problem, as in order to use the feature I need to install the module, and the installation process depends on the module itself.

Same applies to certifi: I need to add a certificate into its collection in order to fix certificate validation for Python clients, but before that I need to install the module itself, which is not possible due to SSL validation error.

It is a minor problem on the developer's local machine, but becomes a bigger problem with Docker as this quest has to be passed in every new image.

Describe the solution you'd like

truststore and certifi are added by default (maybe as dependencies of pip), granted they play a special role in the Python ecosystem.

Alternative Solutions

Workarounds are clumsy and barely sustainable. In particular, I'd like the same image be built successfully on my machine and in the CI pipeline, which run in different environments, and minimize the code required to support both use cases. Now I need to run pip with --cert parameter first before I can do further manipulations with pip and certifi.

Additional context

https://pip.pypa.io/en/stable/topics/https-certificates/

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[ichard26]

Truststore has been vendored into pip since September of last year: 9ee4b8c. Since pip 23.3, you shouldn't need to install truststore in your environment to use the feature. What version of pip are you using in your company?

[greatvovan]

Thanks @ichard26, I just started to dig deeper and realized that it works in older Python images but not in mine.

We are using Python 3.10 (latest) images that come with pip 23.0.1, which is probably why I am experiencing these hurdles. The documentation, however, says:

New in version 22.2: Experimental support, behind --use-feature=truststore.

So I was completely sure it must be present in my version. Is it a mistake in the documentation?

[ichard26]

The documentation is a bit confusing, indeed. While the truststore feature was added in 22.2, truststore was only vendored (i.e. added to the pip codebase so the end user doesn't need to install it) in 23.3. It's probably worth adding a note to the documentation clarifying that.