sslutil: guard against broken certifi installations (
issue5406)
Certifi is currently incompatible with py2exe; the Python code for certifi gets
included in library.zip, but not the cacert.pem file - and even if it were
included, SSLContext can't load a cacert.pem file from library.zip.
This currently makes it impossible to build a standalone Windows version of
Mercurial.
Guard against this, and possibly other situations where a module with the name
"certifi" exists, but is not usable.
--- a/mercurial/sslutil.py Tue Oct 25 18:56:27 2016 +0200
+++ b/mercurial/sslutil.py Wed Oct 19 18:06:14 2016 +0200
@@ -690,14 +690,15 @@
We don't print a message when the Python is able to load default
CA certs because this scenario is detected at socket connect time.
"""
- # The "certifi" Python package provides certificates. If it is installed,
- # assume the user intends it to be used and use it.
+ # The "certifi" Python package provides certificates. If it is installed
+ # and usable, assume the user intends it to be used and use it.
try:
import certifi
certs = certifi.where()
- ui.debug('using ca certificates from certifi\n')
- return certs
- except ImportError:
+ if os.path.exists(certs):
+ ui.debug('using ca certificates from certifi\n')
+ return certs
+ except (ImportError, AttributeError):
pass
# On Windows, only the modern ssl module is capable of loading the system