feature: add an option to use native system certificates stores inste…

…ad of bundled
qgis-deployment · Feb 28, 2024 · 4f913a5 · 4f913a5
1 parent d5bd09a
commit 4f913a5
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/docs/usage/settings.md b/docs/usage/settings.md
@@ -24,6 +24,7 @@ Some others parameters can be set using environment variables.
 | `QDT_LOCAL_WORK_DIR` | Local folder where QDT download remote resources (profiles, plugins, etc.) | `~/.cache/qgis-deployment-toolbelt/default/` |
 | `QDT_LOGS_DIR` | Folder where QDT writes the log files, which are automatically rotated. | `~/.cache/qgis-deployment-toolbelt/logs/` |
 | `QDT_QGIS_EXE_PATH` | Path to the QGIS executable to use. Used in shortcuts. | `/usr/bin/qgis` on Linux and MacOS, `%PROGRAMFILES%/QGIS 3.28/bin/qgis-ltr-bin.exe` on Windows. |
+| `QDT_SSL_USE_SYSTEM_STORES` | By default, a bundle of SSL certificates is used, through [certifi](https://pypi.org/project/certifi/). If this environment variable is set to True, QDT tries to uses the system certificates store. Based on [truststore](https://truststore.readthedocs.io/).   | `False` |
 
 ----
 

diff --git a/qgis_deployment_toolbelt/utils/file_downloader.py b/qgis_deployment_toolbelt/utils/file_downloader.py
@@ -7,9 +7,11 @@
 
 # standard library
 import logging
+from os import getenv
 from pathlib import Path
 
 # 3rd party
+import truststore
 from requests import Session
 from requests.exceptions import ConnectionError, HTTPError
 from requests.utils import requote_uri
@@ -18,6 +20,7 @@
 from qgis_deployment_toolbelt.__about__ import __title_clean__, __version__
 from qgis_deployment_toolbelt.utils.formatters import convert_octets
 from qgis_deployment_toolbelt.utils.proxies import get_proxy_settings
+from qgis_deployment_toolbelt.utils.str2bool import str2bool
 
 # ############################################################################
 # ########## GLOBALS #############
@@ -26,6 +29,9 @@
 # logs
 logger = logging.getLogger(__name__)
 
+if str2bool(getenv("QDT_SSL_USE_SYSTEM_STORES", False)):
+    truststore.inject_into_ssl()
+    logger.debug("Option to use native system certificates stores is enabled.")
 
 # ############################################################################
 # ########## FUNCTIONS ###########

diff --git a/qgis_deployment_toolbelt/utils/journalizer.py b/qgis_deployment_toolbelt/utils/journalizer.py
@@ -17,6 +17,7 @@
 
 # 3rd party
 import certifi
+import truststore
 from requests.utils import DEFAULT_CA_BUNDLE_PATH
 
 # Imports depending on operating system
@@ -29,6 +30,7 @@
 from qgis_deployment_toolbelt.__about__ import __title__, __version__
 from qgis_deployment_toolbelt.constants import get_qdt_logs_folder
 from qgis_deployment_toolbelt.utils.proxies import get_proxy_settings
+from qgis_deployment_toolbelt.utils.str2bool import str2bool
 
 # ############################################################################
 # ########## GLOBALS #############
@@ -141,6 +143,10 @@ def headers():
         f"Certificate authority (CA) bundle to use: {getenv('REQUESTS_CA_BUNDLE', getenv('CURL_CA_BUNDLE'))}"
     )
 
+    if str2bool(getenv("QDT_SSL_USE_SYSTEM_STORES", False)):
+        truststore.inject_into_ssl()
+        logger.debug("Option to use native system certificates stores is enabled.")
+
 
 def get_logger_filepath() -> Path | None:
     """Retrieve log filepath within logger handlers.