From f215368c4a97531e2875044347174145c04fb84b Mon Sep 17 00:00:00 2001 From: Reinier Criel Date: Wed, 12 Nov 2025 13:30:22 -0800 Subject: [PATCH] Some small fixes --- packages/safe-chain/src/packagemanager/pip/runPipCommand.js | 3 +++ packages/safe-chain/src/registryProxy/certUtils.js | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js index 440c02b..12a3748 100644 --- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js +++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js @@ -24,6 +24,7 @@ export async function runPip(command, args) { if (!env.REQUESTS_CA_BUNDLE) { env.REQUESTS_CA_BUNDLE = combinedCaPath; } + if (!env.SSL_CERT_FILE) { env.SSL_CERT_FILE = combinedCaPath; } @@ -33,6 +34,8 @@ export async function runPip(command, args) { if (!env.PIP_CERT) { env.PIP_CERT = combinedCaPath; } + + // PIP_CONFIG file is created to ensure proxy and cert settings are applied even if env vars are ignored for certificates (e.g. Python 3.11 and up). if (!env.PIP_CONFIG_FILE) { const tmpDir = os.tmpdir(); const pipConfigPath = path.join(tmpDir, `safe-chain-pip-${Date.now()}.ini`); diff --git a/packages/safe-chain/src/registryProxy/certUtils.js b/packages/safe-chain/src/registryProxy/certUtils.js index aa23d79..6b326c8 100644 --- a/packages/safe-chain/src/registryProxy/certUtils.js +++ b/packages/safe-chain/src/registryProxy/certUtils.js @@ -49,6 +49,12 @@ export function generateCertForHost(hostname) { keyEncipherment: true, }, { + /* + extKeyUsage serverAuth is required for TLS server authentication. + This is especially important for Python venv environments, which use their own + certificate validation logic and will reject certificates lacking the serverAuth EKU. + Adding serverAuth does not impact other usages + */ name: "extKeyUsage", serverAuth: true, },