feat: use os truststore on linux systems

If the user is sending requests to a server with a TLS server certificate signed by a private CA (e.g. because the server is hosted on a company intranet), connections will fail unless the user is manually trusting the correcy CA certificate. Attempt to use the OS truststore, to not throw people into the PKI rabbithole, by symlinking to the certificate bundle in /etc/ssl or /etc/pki. Should work on Fedora, Arch Linux and Ubuntu. macOS stores its OS truststore in a keychain, not as a plain PEM on the filesystem, so it will probably not work. Fallback will be the Mozilla truststore provided by the certifi package.
Realiserad · Oct 16, 2024 · 5c6e375 · 5c6e375
1 parent 4007ec8
commit 5c6e375
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/conf.d/fish_ai.fish b/conf.d/fish_ai.fish
@@ -40,6 +40,7 @@ function _fish_ai_install --on-event fish_ai_install
     echo "🍬 Installing dependencies. This may take a few seconds..."
     ~/.fish-ai/bin/pip install -qq "$(get_installation_url)"
     python_version_check
+    symlink_truststore
     if ! test -f ~/.config/fish-ai.ini
         echo "🤗 You must create a configuration file before the plugin can be used!"
     end
@@ -57,6 +58,7 @@ function _fish_ai_update --on-event fish_ai_update
     echo "🍬 Upgrading dependencies. This may take a few seconds..."
     ~/.fish-ai/bin/pip install -qq --upgrade "$(get_installation_url)"
     python_version_check
+    symlink_truststore
 end
 
 function _fish_ai_uninstall --on-event fish_ai_uninstall
@@ -97,3 +99,13 @@ function python_version_check
         set_color normal
     end
 end
+
+function symlink_truststore --description "Use the bundle with CA certificates trusted by the OS."
+    if test -f /etc/ssl/certs/ca-certificates.crt
+        echo "🔑 Symlinking to certificates stored in /etc/ssl/certs/ca-certificates.crt."
+        ln -snf /etc/ssl/certs/ca-certificates.crt (~/.fish-ai/bin/python3 -c 'import certifi; print(certifi.where())')
+    else if test -f /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+        echo "🔑 Symlinking to certificates stored in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem."
+        ln -snf /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (~/.fish-ai/bin/python3 -c 'import certifi; print(certifi.where())')
+    end
+end
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "fish_ai"
-version = "0.12.0"
+version = "0.13.0"
 authors = [{ name = "Bastian Fredriksson", email = "realiserad@gmail.com" }]
 description = "Provides core functionality for fish-ai, an AI plugin for the fish shell."
 readme = "README.md"