Bundle ca certificates on snap to avoid ssl errors on non-debian-like…

… distribs
Scille · Sep 10, 2021 · e11abdc · e11abdc
1 parent 0f0ef21
commit e11abdc
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/packaging/snap/snap/snapcraft.yaml b/packaging/snap/snap/snapcraft.yaml
@@ -16,11 +16,13 @@ apps:
     command: parsec
     desktop: parsec.desktop
     environment:
+      SSL_CAFILE: ${SNAP}/cacert.pem
       SENTRY_URL: https://[email protected]/1212848
       PREFERRED_ORG_CREATION_BACKEND_ADDR: parsec://saas.parsec.cloud/
   cli:
     command: parsec-cli
     environment:
+      SSL_CAFILE: ${SNAP}/cacert.pem
       SENTRY_URL: https://[email protected]/1212848
       PREFERRED_ORG_CREATION_BACKEND_ADDR: parsec://saas.parsec.cloud/
 
@@ -55,6 +57,16 @@ parts:
       ${VENV}/bin/python -m pip install -Ur pre-requirements.txt
       ${VENV}/bin/python -m pip install -U .[core]
 
+      # Bundled libssl doesn't know where host OS stores it CA certificates,
+      # hence we bundle them instead.
+      # For this, Certifi provides the Mozilla-curated certifs bundled as a
+      # single file and we just have to copy it into our Snap.
+      # Note we don't use ubuntu package's  `ca-certificate` here given it
+      # comes as multiple pem files that must be cooked with `update-ca-certificate`
+      # command before being actually usable by openssl.
+      ${VENV}/bin/python -m pip install -U certifi
+      cp $(${VENV}/bin/python -m certifi) ${SNAPCRAFT_PART_INSTALL}/cacert.pem
+
       # ...then only keep the installed packages from the virtual env
       # this is fine given the same python is used between build and runtime
       cp -R ${VENV}/lib/python3.*/site-packages ${SNAPCRAFT_PART_INSTALL}/site-packages