ensure we only bundle certifi on linux builds

Author: ewdurbin

cpython-unix/Makefile

@@ -254,7 +254,7 @@ PYTHON_DEPENDS_$(1) := \
     $$(if$$(NEED_AUTOCONF),$$(OUTDIR)/autoconf-$$(AUTOCONF_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_BDB),$$(OUTDIR)/bdb-$$(BDB_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_BZIP2),$$(OUTDIR)/bzip2-$$(BZIP2_VERSION)-$$(PACKAGE_SUFFIX).tar) \
-    $$(OUTDIR)/certifi-$$(CERTIFI_VERSION)-$$(PACKAGE_SUFFIX).tar \
+    $$(if $$(NEED_CERTIFI),$$(OUTDIR)/certifi-$$(CERTIFI_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_EXPAT),$$(OUTDIR)/expat-$$(EXPAT_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_LIBEDIT),$$(OUTDIR)/libedit-$$(LIBEDIT_VERSION)-$$(PACKAGE_SUFFIX).tar) \
     $$(if $$(NEED_LIBFFI_3_3),$$(OUTDIR)/libffi-3.3-$$(LIBFFI_3.3_VERSION)-$$(PACKAGE_SUFFIX).tar) \

cpython-unix/build-cpython.sh

@@ -316,7 +316,9 @@ fi
 # RHEL 8 (supported until 2029) and below, including Fedora 33 and below, do not
 # ship an /etc/ssl/cert.pem or a hashed /etc/ssl/cert/ directory. Patch to look at
 # /etc/pki/tls/cert.pem instead, if that file exists and /etc/ssl/cert.pem does not.
-patch -p1 -i ${ROOT}/patch-cpython-redhat-cert-file.patch
+if [[ "${TARGET_TRIPLE}" =~ linux ]]; then
+    patch -p1 -i "${ROOT}/patch-cpython-redhat-cert-file.patch"
+fi
 
 # Cherry-pick an upstream change in Python 3.15 to build _asyncio as
 # static (which we do anyway in our own fashion) and more importantly to
@@ -1361,10 +1363,12 @@ if [ -d "${TOOLS_PATH}/deps/usr/share/terminfo" ]; then
   cp -av "${TOOLS_PATH}/deps/usr/share/terminfo" "${ROOT}/out/python/install/share/"
 fi
 
-# Copy a fallback CA bundle. Python will prefer the host trust store when one
-# exists and use this only for minimal environments without root certificates.
-mkdir -p "${ROOT}/out/python/install/etc/ssl"
-cp -av "${TOOLS_PATH}/deps/share/certifi/cacert.pem" "${ROOT}/out/python/install/etc/ssl/cert.pem"
+# Copy a Linux fallback CA bundle. Python will prefer the host trust store when
+# one exists and use this only for minimal environments without root certificates.
+if [[ "${TARGET_TRIPLE}" =~ linux ]]; then
+    mkdir -p "${ROOT}/out/python/install/etc/ssl"
+    cp -av "${TOOLS_PATH}/deps/share/certifi/cacert.pem" "${ROOT}/out/python/install/etc/ssl/cert.pem"
+fi
 
 # config.c defines _PyImport_Inittab and extern references to modules, which
 # downstream consumers may want to strip. We bundle config.c and config.c.in so
@@ -1391,5 +1395,7 @@ find "${ROOT}/out/python/install/lib/pkgconfig" -name \*.pc -type f -exec \
     sed "${sed_args[@]}" 's|^prefix=/install|prefix=${pcfiledir}/../..|' {} +
 
 mkdir "${ROOT}/out/python/licenses"
-cp "${ROOT}/LICENSE" "${ROOT}/out/python/licenses/"
+if [[ "${TARGET_TRIPLE}" =~ linux ]]; then
+    cp "${ROOT}/LICENSE" "${ROOT}/out/python/licenses/"
+fi
 cp "${ROOT}"/LICENSE.*.txt "${ROOT}/out/python/licenses/"

cpython-unix/build.py

@@ -775,12 +775,14 @@ def build_cpython(
             python_archive,
             setuptools_archive,
             pip_archive,
-            ROOT / "LICENSE",
             SUPPORT / "build-cpython.sh",
             SUPPORT / "run_tests-13.py",
         ):
             build_env.copy_file(p)
 
+        if "-linux-" in target_triple:
+            build_env.copy_file(ROOT / "LICENSE")
+
         for f in sorted(os.listdir(ROOT)):
             if f.startswith("LICENSE.") and f.endswith(".txt"):
                 build_env.copy_file(ROOT / f)

cpython-unix/patch-cpython-redhat-cert-file.patch

@@ -13,16 +13,24 @@ index 42ebb8ed384..c15c0ec940f 100644
 
      sslsocket_class = None  # SSLSocket is assigned later.
      sslobject_class = None  # SSLObject is assigned later.
-@@ -531,6 +534,34 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
+@@ -531,6 +535,41 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
          if sys.platform == "win32":
              for storename in self._windows_cert_stores:
                  self._load_windows_store_certs(storename, purpose)
-+        else:
-+            def _cert_dir_has_entries(path):
++        elif sys.platform == "linux":
++            def _has_hashed_certs(path):
 +                if not os.path.isdir(path):
 +                    return False
 +                try:
-+                    return next(os.scandir(path), None) is not None
++                    for entry in os.scandir(path):
++                        name, dot, suffix = entry.name.partition(".")
++                        if dot and len(name) == 8 and suffix.isdigit():
++                            try:
++                                int(name, 16)
++                            except ValueError:
++                                continue
++                            return True
++                    return False
 +                except OSError:
 +                    return False
 +
@@ -31,15 +39,14 @@ index 42ebb8ed384..c15c0ec940f 100644
 +                _def_paths[0] in os.environ or os.path.isfile(_def_paths[1])
 +            )
 +            _has_cert_dir = (
-+                _def_paths[2] in os.environ or _cert_dir_has_entries(_def_paths[3])
++                _def_paths[2] in os.environ or _has_hashed_certs(_def_paths[3])
 +            )
-+            if sys.platform == "linux":
-+                if not _has_cert_file and os.path.isfile(self._FALLBACK_CERT_FILE):
-+                    self.load_verify_locations(cafile=self._FALLBACK_CERT_FILE)
-+                    _has_cert_file = True
-+                if not _has_cert_dir and _cert_dir_has_entries(self._FALLBACK_CERT_DIR):
-+                    self.load_verify_locations(capath=self._FALLBACK_CERT_DIR)
-+                    _has_cert_dir = True
++            if not _has_cert_file and os.path.isfile(self._FALLBACK_CERT_FILE):
++                self.load_verify_locations(cafile=self._FALLBACK_CERT_FILE)
++                _has_cert_file = True
++            if not _has_cert_dir and _has_hashed_certs(self._FALLBACK_CERT_DIR):
++                self.load_verify_locations(capath=self._FALLBACK_CERT_DIR)
++                _has_cert_dir = True
 +            if (self._STANDALONE_CERT_FALLBACK_ENV not in os.environ and
 +                not _has_cert_file and
 +                not _has_cert_dir and

docs/quirks.rst

@@ -74,9 +74,9 @@ ncurses/libedit/readline are loaded.
 Fallback CA Certificate Bundle
 ==============================
 
-On Unix platforms, Python prefers the trust store provided by the host
-operating system. When none of the usual host certificate locations exist,
-these distributions fall back to a bundled CA certificate file at
+On Linux, Python prefers the trust store provided by the host operating
+system. When none of the usual host certificate locations exist, these
+distributions fall back to a bundled CA certificate file at
 ``etc/ssl/cert.pem`` inside the Python installation.
 
 The bundled file is a safety net for minimal environments such as scratch-like

pythonbuild/disttests/__init__.py

@@ -217,7 +217,7 @@ def test_ssl(self):
 
         ssl.create_default_context()
 
-        if os.name != "nt":
+        if sys.platform == "linux":
             bundled_ca_file = os.path.join(INSTALL_ROOT, "etc", "ssl", "cert.pem")
             self.assertTrue(os.path.isfile(bundled_ca_file))
 

pythonbuild/utils.py

@@ -100,15 +100,26 @@ def target_needs(yaml_path: pathlib.Path, target: str):
     settings = get_targets(yaml_path)[target]
 
     needs = set(settings["needs"])
-    # Every Unix distribution ships a fallback CA bundle.
-    needs.add("certifi")
+    # Linux distributions ship a fallback CA bundle for minimal images.
+    if "-linux-" in target:
+        needs.add("certifi")
 
     # Ship libedit linked readline extension to avoid a GPL dependency.
     needs.discard("readline")
 
     return needs
 
 
+def target_makefile_needs(target: str, settings: dict) -> set[str]:
+    """Obtain dependency names that should be emitted into target Makefiles."""
+    needs = set(settings.get("needs", []))
+
+    if "-linux-" in target:
+        needs.add("certifi")
+
+    return needs
+
+
 def release_tag_from_git():
     return (
         subprocess.check_output(
@@ -192,7 +203,7 @@ def write_triples_makefiles(
             makefile_path = dest_dir / ("Makefile.%s.%s" % (host_platform, triple))
 
             lines = []
-            for need in settings.get("needs", []):
+            for need in sorted(target_makefile_needs(triple, settings)):
                 lines.append(
                     "NEED_%s := 1\n" % need.upper().replace("-", "_").replace(".", "_")
                 )