Fix SSL CA setup timing and QByteArray decode on macOS

- Decode QByteArray returned by trustedCaCertsPemText() to str before writing
- Always replace the QGIS CA section in cert.pem instead of append-only,
  so stale certs from previous sessions are refreshed
- Call setup_qgis_ssl_for_mergin_client() in initGui() where the auth manager
  is guaranteed to be ready, and also before each MerginClient creation in
  validate_mergin_url() and mergin_server_deprecated_version()

Author: lleirborras

Mergin/plugin.py

@@ -66,6 +66,8 @@
 os.environ["MERGIN_CLIENT_LOG"] = MERGIN_CLIENT_LOG
 
 try:
+    # Best-effort early init; auth manager may not be ready yet so this may be a no-op.
+    # The real call happens in initGui() and before each MerginClient creation.
     setup_qgis_ssl_for_mergin_client()
 except Exception:
     pass
@@ -119,6 +121,11 @@ def initGui(self):
 
         self.initProcessing()
 
+        try:
+            setup_qgis_ssl_for_mergin_client()
+        except Exception:
+            pass
+
         if self.iface is not None:
             self.add_action(
                 mm_symbol_path(),

Mergin/utils_auth.py

@@ -444,6 +444,7 @@ def validate_mergin_url(url):
     :param url: String Mergin Maps URL to ping.
     :return: String error message as result of validation. If None, URL is valid.
     """
+    setup_qgis_ssl_for_mergin_client()
     try:
         MerginClient(url, proxy_config=get_qgis_proxy_config(url))
 
@@ -529,6 +530,7 @@ def set_qgsexpressionscontext(url: str, mc: typing.Optional[MerginClient] = None
 
 
 def mergin_server_deprecated_version(url: str) -> bool:
+    setup_qgis_ssl_for_mergin_client()
     mc = MerginClient(
         url=url,
         auth_token=None,
@@ -567,24 +569,13 @@ def setup_qgis_ssl_for_mergin_client() -> None:
     2. On macOS, appends the QGIS CAs to MerginClient's bundled cert.pem
        so that the macOS fallback code path also trusts them.
     """
-    auth_manager = QgsApplication.authManager()
-    ca_certs = auth_manager.trustedCaCertsCache()
-
-    if not ca_certs:
-        return
+    qgis_ca_pem = QgsApplication.authManager().trustedCaCertsPemText()
+    if hasattr(qgis_ca_pem, "data"):
+        qgis_ca_pem = qgis_ca_pem.data().decode("utf-8")
 
-    # Convert QSslCertificate objects to PEM text
-    pem_blocks = []
-    for cert in ca_certs:
-        pem_data = bytes(cert.toPem()).decode("ascii")
-        if pem_data:
-            pem_blocks.append(pem_data)
-
-    if not pem_blocks:
+    if not qgis_ca_pem:
         return
 
-    qgis_ca_pem = "\n".join(pem_blocks)
-
     # 1. Write to a PEM file and set SSL_CERT_FILE
     settings_dir = QgsApplication.qgisSettingsDirPath()
     ca_file_path = os.path.join(settings_dir, "mergin-trusted-cas.pem")
@@ -601,10 +592,13 @@ def setup_qgis_ssl_for_mergin_client() -> None:
             marker = "# --- QGIS trusted CAs ---"
             with open(bundled_cert, "r") as f:
                 existing = f.read()
-            if marker not in existing:
-                with open(bundled_cert, "a") as f:
-                    f.write(f"\n{marker}\n")
-                    f.write(qgis_ca_pem)
+            # Always replace the QGIS section so stale CAs get refreshed
+            if marker in existing:
+                base_content = existing[: existing.index(marker)].rstrip()
+            else:
+                base_content = existing.rstrip()
+            with open(bundled_cert, "w") as f:
+                f.write(base_content + f"\n\n{marker}\n" + qgis_ca_pem)
 
 
 def qgis_support_sso() -> bool: