Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

upload to untrusted hosts with --trusted option

See original GitHub issue

Hi,

Twine denies uploading to untrusted https PyPI clones. This triggers an SSL error caused by an unknown CA certificate. I need the ability to upload packages to untrusted private PyPI servers since

Backgroung : I’m in process to add PyPI and NPM support to a Nexus server that’s published in production with regular CA signed certificates. But can’t obtain such certificates for the Nexus test site.

I made a small quick’n’dirty patch setting verify=False option when posting a tarball or wheel file here. https://github.com/pypa/twine/blob/master/twine/repository.py#L152

I know that the requests lib issues a warning in such situations but I don’t care.

Thanks

Issue Analytics

State:
Created 5 years ago
Reactions:6
Comments:13 (7 by maintainers)

Top GitHub Comments

9reactions

jaracocommented, Dec 15, 2019

The solution to this problem is threefold:

insecure requests over plain HTTP are allowed
where SSL is used with an otherwise untrusted certificate, the --cert parameter should be used to pass the trusted certificate
if the above solutions aren’t available, implement a hack (such as this) at your own risk to disable certificate checking.

This last option is intentionally ugly and inconvenient to limit the proliferation of that discouraged approach.

If none of these approaches are suitable, please feel free to elaborate on why.

6reactions

itaym120commented, Nov 15, 2019

Sorry I didn’t comment earlier, but I wanted to say that I think I’m -1 on making this change.

I’m a bit concerned that if we add this flag, it will proliferate through comments, stack overflow answers, etc as an “easy” way to fix SSL errors that should actually be fixed by producing and obtaining valid certificates for third-party indices. Basically, this shouldn’t be necessary and feels like an easy way out.

I’m especially concerned about the possibility of this being used with --trusted-host pypi.org which should basically never happen. At the very least, I’d like to see this being implemented in a way that prevents this flag from ever being used with that host.

(cc @ewdurbin for thoughts here as well)

It’s not always possible to work the “right” way, that’s why pip, conda install and npm gives the option to add trusted-host\verify-ssl flags. Not as the recommended way, but as a possiblity for users. The default should obviously be to verify whenever its a possibility.

In my case, I just can’t demand from the Artifactory repository providers to add a real CA approved certificate and I have no choise but use verify=False when uploading and downloading packages from there. and there are no alternatives in the lan…

Top Results From Across the Web

pip install fails with "connection error: [SSL

I tried all the --trusted-host and --cert options and pip will not work. I tried to upgrade pip and got the SSL error....

Upload SSL certificates for a Classic Load Balancer to ...

How do I upload SSL certificates for my Classic Load Balancer to prevent clients from receiving “untrusted certificate” errors?

Server Certificates | IntelliJ IDEA Documentation

IntelliJ IDEA provides its own storage for trusted certificates. ... Select this option if you want non-trusted certificates (that is the certificates that ......

Securing ESXi Hosts with Trusted Platform Module

ESXi hosts can use Trusted Platform Modules (TPM) chips, ... a vCenter Server identifies the platform on a previously untrusted host.

Untrusted Hosts and Confidentiality: Secure Program ...

requiring a single universally trusted host. We are primarily inter- ested in enforcing confidentiality policies; in this setting, however,.