From 6cc3ffc0442427e9b440451aa40960ceaccb1fbb Mon Sep 17 00:00:00 2001
From: Reinier Criel <reinier.criel@gmail.com>
Date: Mon, 10 Nov 2025 15:36:56 -0800
Subject: [PATCH] Only install for install/download and wheel commands

---
 .../src/packagemanager/pip/runPipCommand.js   | 28 +++++++++++++++++--
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
index 13ece0e..e5bf64d 100644
--- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
+++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js
@@ -3,6 +3,26 @@ import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { installSafeChainCA } from "../../registryProxy/certUtils.js";
 
+/**
+ * Returns true if the pip command needs the Safe-chain CA installed.
+ * @param {string[]} args
+ * @returns {boolean}
+ */
+function needsCaInstalled(args) {
+  const known = new Set(["install", "wheel", "download"]);
+  let startIdx = 0;
+  if (args[0] === "-m" && (args[1] === "pip" || args[1] === "pip3")) {
+    startIdx = 2;
+  }
+  for (let i = startIdx; i < args.length; i++) {
+    const token = args[i];
+    if (!token) continue;
+    if (token.startsWith("-")) continue; // skip flags
+    if (known.has(token)) return true;
+  }
+  return false;
+}
+
 /**
  * @param {string} command
  * @param {string[]} args
@@ -11,9 +31,11 @@ import { installSafeChainCA } from "../../registryProxy/certUtils.js";
  */
 export async function runPip(command, args) {
   try {
-    // Install Safe Chain CA in OS trust store before running pip
-    // Py 3.14 requires that certs are properly installed in the OS trust store
-    await installSafeChainCA();
+    // Only install CA for commands that download or build packages.
+    // This minimizes privilege prompts for read-only operations like 'list' or 'show'.
+    if (needsCaInstalled(args)) {
+      await installSafeChainCA();
+    }
     const env = mergeSafeChainProxyEnvironmentVariables(process.env);
     const result = await safeSpawn(command, args, {
       stdio: "inherit",