By the way, there is a simple workaround for the certification verification errors, which is to disable certificate verification. Since Sage checks the SHA256 hash of each file it downloads, I don't think this is a serious security risk. Here is a 2-line patch which does that:
diff --git a/build/sage_bootstrap/download/transfer.py b/build/sage_bootstrap/download/transfer.py index ae139c391b1..3c6a877288f 100644 --- a/build/sage_bootstrap/download/transfer.py +++ b/build/sage_bootstrap/download/transfer.py @@ -18,6 +18,8 @@ Download files from the internet import sys import logging log = logging.getLogger() +import ssl +ssl._create_default_https_context = ssl._create_unverified_context from sage_bootstrap.stdio import flush from sage_bootstrap.compat import urllib - Marc On Tuesday, February 25, 2025 at 11:54:54 AM UTC-6 Marc Culler wrote: > On Tue, Feb 25, 2025 at 9:52 AM Dima Pasechnik <dim...@gmail.com> wrote: > >> >> this is precisely due to the cert failures caused by the broken macOS's >> python. >> >> Does not happen with a good Python install. >> > > I am sorry, but that statement is false. See the example below where an > SSL Certification error occurs with Python 3.13.1 from python.org running > in a venv with certifi-2025.1.31 installed in the venv. The Apple > /usr/binpython3 was not involved and the python.org installation of > python is a "good python install". > > - Marc > > [patch-2.7.6] Attempting to download from > https://ftp.gnu.org/gnu/patch/patch-2.7.6.tar.gz > [patch-2.7.6] > [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] > [patch-2.7.6] ERROR [transfer|run:135]: [Errno socket error] [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local > issuer certificate (_ssl.c:1018) > [patch-2.7.6] Traceback (most recent call last): > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/urllib/request.py", > > line 1778, in open > [patch-2.7.6] return getattr(self, name)(url) > [patch-2.7.6] ~~~~~~~~~~~~~~~~~~~^^^^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/urllib/request.py", > > line 1992, in open_https > [patch-2.7.6] return self._open_generic_http(self._https_connection, > url, data) > [patch-2.7.6] > ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/urllib/request.py", > > line 1933, in _open_generic_http > [patch-2.7.6] http_conn.request("GET", selector, headers=headers) > [patch-2.7.6] ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/http/client.py", > > line 1336, in request > [patch-2.7.6] self._send_request(method, url, body, headers, > encode_chunked) > [patch-2.7.6] > ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/http/client.py", > > line 1382, in _send_request > [patch-2.7.6] self.endheaders(body, encode_chunked=encode_chunked) > [patch-2.7.6] ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/http/client.py", > > line 1331, in endheaders > [patch-2.7.6] self._send_output(message_body, > encode_chunked=encode_chunked) > [patch-2.7.6] > ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/http/client.py", > > line 1091, in _send_output > [patch-2.7.6] self.send(msg) > [patch-2.7.6] ~~~~~~~~~^^^^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/http/client.py", > > line 1035, in send > [patch-2.7.6] self.connect() > [patch-2.7.6] ~~~~~~~~~~~~^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/http/client.py", > > line 1477, in connect > [patch-2.7.6] self.sock = self._context.wrap_socket(self.sock, > [patch-2.7.6] ~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^ > [patch-2.7.6] > server_hostname=server_hostname) > [patch-2.7.6] > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/ssl.py", > line 455, in wrap_socket > [patch-2.7.6] return self.sslsocket_class._create( > [patch-2.7.6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ > [patch-2.7.6] sock=sock, > [patch-2.7.6] ^^^^^^^^^^ > [patch-2.7.6] ...<5 lines>... > [patch-2.7.6] session=session > [patch-2.7.6] ^^^^^^^^^^^^^^^ > [patch-2.7.6] ) > [patch-2.7.6] ^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/ssl.py", > line 1076, in _create > [patch-2.7.6] self.do_handshake() > [patch-2.7.6] ~~~~~~~~~~~~~~~~~^^ > [patch-2.7.6] File > "/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/ssl.py", > line 1372, in do_handshake > [patch-2.7.6] self._sslobj.do_handshake() > [patch-2.7.6] ~~~~~~~~~~~~~~~~~~~~~~~~~^^ > [patch-2.7.6] ssl.SSLCertVerificationError: [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local > issuer certificate (_ssl.c:1018) > > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/sage-devel/05008a9b-ec6b-469c-8fb4-a0c1761d88f2n%40googlegroups.com.
