From f38a12c6d55d7431434982c38fdf1d4d669b908f Mon Sep 17 00:00:00 2001 From: Reinier Criel Date: Thu, 30 Oct 2025 16:00:32 -0700 Subject: [PATCH] Combine certificates --- package-lock.json | 22 ++-- packages/safe-chain/package.json | 2 +- .../src/packagemanager/pip/runPipCommand.js | 78 ++---------- .../packagemanager/pip/runPipCommand.spec.js | 117 ++++++++---------- .../packagemanager/pip/utils/pipCaBundle.js | 90 ++++++++++++++ .../pip/utils/pipCaBundle.spec.js | 71 +++++++++++ .../registryProxy/registryProxy.mitm.spec.js | 2 +- test/e2e/pip.e2e.spec.js | 14 +-- 8 files changed, 243 insertions(+), 153 deletions(-) create mode 100644 packages/safe-chain/src/packagemanager/pip/utils/pipCaBundle.js create mode 100644 packages/safe-chain/src/packagemanager/pip/utils/pipCaBundle.spec.js diff --git a/package-lock.json b/package-lock.json index dee28f5..d3dda09 100644 --- a/package-lock.json +++ b/package-lock.json @@ -516,6 +516,15 @@ "node": "^18.17.0 || >=20.5.0" } }, + "node_modules/certifi": { + "version": "14.5.15", + "resolved": "https://registry.npmjs.org/certifi/-/certifi-14.5.15.tgz", + "integrity": "sha512-NeLXuKCqSzwQNjpJ+WaSp5m8ntdTKJ8HnBu+eA7DxHfgzU7F1sjwrJFang+4U38+vmWbiFUpPZMV3uwwnHAisQ==", + "license": "MPL-2.0", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/chalk": { "version": "5.4.1", "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.4.1.tgz", @@ -1717,28 +1726,19 @@ "node": ">=18" } }, - "node_modules/yargs-parser": { - "version": "21.1.1", - "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz", - "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==", - "license": "ISC", - "engines": { - "node": ">=12" - } - }, "packages/safe-chain": { "name": "@aikidosec/safe-chain", "version": "1.0.0", "license": "AGPL-3.0-or-later", "dependencies": { + "certifi": "^14.5.15", "chalk": "5.4.1", "https-proxy-agent": "7.0.6", "make-fetch-happen": "14.0.3", "node-forge": "1.3.1", "npm-registry-fetch": "18.0.2", "ora": "8.2.0", - "semver": "7.7.2", - "yargs-parser": "^21.1.1" + "semver": "7.7.2" }, "bin": { "aikido-bun": "bin/aikido-bun.js", diff --git a/packages/safe-chain/package.json b/packages/safe-chain/package.json index 08d8a19..5724878 100644 --- a/packages/safe-chain/package.json +++ b/packages/safe-chain/package.json @@ -32,7 +32,7 @@ "license": "AGPL-3.0-or-later", "description": "The Aikido Safe Chain wraps around the [npm cli](https://github.com/npm/cli), [npx](https://github.com/npm/cli/blob/latest/docs/content/commands/npx.md), [yarn](https://yarnpkg.com/), [pnpm](https://pnpm.io/), [pnpx](https://pnpm.io/cli/dlx), [bun](https://bun.sh/), and [bunx](https://bun.sh/docs/cli/bunx) to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm, pnpx, bun, or bunx from downloading or running the malware.", "dependencies": { - "yargs-parser": "^21.1.1", + "certifi": "^14.5.15", "chalk": "5.4.1", "https-proxy-agent": "7.0.6", "make-fetch-happen": "14.0.3", diff --git a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js index c4a1ac6..4e12282 100644 --- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.js +++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.js @@ -1,80 +1,22 @@ import { ui } from "../../environment/userInteraction.js"; import { safeSpawn } from "../../utils/safeSpawn.js"; import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js"; -import { getCaCertPath } from "../../registryProxy/certUtils.js"; -import { knownPipRegistries } from "../../registryProxy/parsePackageFromUrl.js"; -import yargsParser from "yargs-parser"; - -function extractHostsFromPipArgs(args) { - function hostFromString(input) { - if (typeof input !== "string" || input.length === 0) return undefined; - try { - const u = new URL(input); - return u.hostname || undefined; - } catch { - // ignore: not a valid absolute URL - } - // Try adding a scheme if it's a schemeless URL-like value - try { - const u2 = new URL(`https://${input}`); - return u2.hostname || undefined; - } catch { - // ignore: not a valid schemeless URL either - } - return undefined; - } - - const parsed = yargsParser(args, { - configuration: { - "short-option-groups": true, - "camel-case-expansion": false, - "dot-notation": false, - "duplicate-arguments-array": true, - "flatten-duplicate-arrays": false, - "greedy-arrays": false, - "unknown-options-as-args": true, - }, - }); - const toArray = (v) => (v == null ? [] : Array.isArray(v) ? v : [v]); - const candidateUrls = [ - ...toArray(parsed.i), - ...toArray(parsed["index-url"]), - ...toArray(parsed["extra-index-url"]), - ...toArray(parsed["find-links"]), - ...toArray(parsed._).filter( - (a) => typeof a === "string" && (a.startsWith("https://") || a.startsWith("http://")) - ), - ]; - const hosts = new Set(); - for (const u of candidateUrls) { - const h = hostFromString(u); - if (h) hosts.add(h); - } - return Array.from(hosts); -} - +import { getCombinedCaBundlePath } from "./utils/pipCaBundle.js"; +// Always provide Python with a complete CA bundle (Safe Chain CA + Mozilla + Node built-in roots) +// so that any network request made by pip, including those outside explicit CLI args, +// validates correctly under both MITM'd and tunneled HTTPS. export async function runPip(command, args) { try { const env = mergeSafeChainProxyEnvironmentVariables(process.env); - // Re-introduce conditional --cert injection: only for known registries (MITM). - // No global env overrides for Python trust. - const hosts = extractHostsFromPipArgs(args); - const allKnown = hosts.length === 0 - ? true // No explicit sources => default PyPI (known) -> MITM - : hosts.every((h) => knownPipRegistries.includes(h)); - // Respect user-provided --cert: detect both "--cert " and "--cert=" - const hasUserCert = args.some( - (a) => a === "--cert" || (typeof a === "string" && a.startsWith("--cert=")) - ); + // Always set Python CA env vars to a combined bundle that includes Safe Chain CA, + // Mozilla roots (certifi), and Node built-in root CAs. + const combinedCaPath = getCombinedCaBundlePath(); + env.REQUESTS_CA_BUNDLE = combinedCaPath; + env.SSL_CERT_FILE = combinedCaPath; - let finalArgs = [...args]; - if (allKnown && !hasUserCert) { - finalArgs = [...args, "--cert", getCaCertPath()]; - } - - const result = await safeSpawn(command, finalArgs, { + const result = await safeSpawn(command, args, { stdio: "inherit", env, }); diff --git a/packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js b/packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js index 36abdf1..56863ef 100644 --- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js +++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js @@ -1,7 +1,7 @@ import { describe, it, beforeEach, afterEach, mock } from "node:test"; import assert from "node:assert"; -describe("runPipCommand --cert handling", () => { +describe("runPipCommand environment variable handling", () => { let runPip; let capturedArgs = null; @@ -28,10 +28,10 @@ describe("runPipCommand --cert handling", () => { }, }); - // Mock certUtils to point to a test CA path - mock.module("../../registryProxy/certUtils.js", { + // Mock pipCaBundle to return a test combined bundle path + mock.module("./utils/pipCaBundle.js", { namedExports: { - getCaCertPath: () => "/tmp/test-ca.pem", + getCombinedCaBundlePath: () => "/tmp/test-combined-ca.pem", }, }); @@ -43,66 +43,29 @@ describe("runPipCommand --cert handling", () => { mock.reset(); }); - it("should append --cert with our CA path to pip args by default (PyPI)", async () => { + it("should set REQUESTS_CA_BUNDLE and SSL_CERT_FILE for default PyPI (no explicit index)", async () => { const res = await runPip("pip3", ["install", "requests"]); assert.strictEqual(res.status, 0); - // safeSpawn should be called with --cert flag assert.ok(capturedArgs, "safeSpawn should have been called"); - const idx = capturedArgs.args.indexOf("--cert"); - assert.ok(idx >= 0, "--cert flag should be present in pip args"); + // Check environment variables are set + assert.strictEqual( + capturedArgs.options.env.REQUESTS_CA_BUNDLE, + "/tmp/test-combined-ca.pem", + "REQUESTS_CA_BUNDLE should be set to combined bundle path" + ); + assert.strictEqual( + capturedArgs.options.env.SSL_CERT_FILE, + "/tmp/test-combined-ca.pem", + "SSL_CERT_FILE should be set to combined bundle path" + ); - const certPath = capturedArgs.args[idx + 1]; - assert.strictEqual(certPath, "/tmp/test-ca.pem", "CA path should match getCaCertPath()"); - - // Original args should be preserved before --cert - assert.strictEqual(capturedArgs.args[0], "install"); - assert.strictEqual(capturedArgs.args[1], "requests"); - - // No Python CA env overrides expected - assert.strictEqual(capturedArgs.options.env.REQUESTS_CA_BUNDLE, undefined); - assert.strictEqual(capturedArgs.options.env.SSL_CERT_FILE, undefined); + // Args should be unchanged (no arg injection) + assert.deepStrictEqual(capturedArgs.args, ["install", "requests"]); }); - it("should not override user-provided --cert ", async () => { - const res = await runPip("pip3", ["install", "requests", "--cert", "/tmp/user-ca.pem"]); - assert.strictEqual(res.status, 0); - - // Ensure only the user-provided --cert is present - const certIndices = capturedArgs.args - .map((a, i) => (a === "--cert" ? i : -1)) - .filter((i) => i >= 0); - assert.strictEqual(certIndices.length, 1, "should not inject an extra --cert"); - const userPath = capturedArgs.args[certIndices[0] + 1]; - assert.strictEqual(userPath, "/tmp/user-ca.pem", "should preserve user-provided cert path"); - // No Python CA env overrides expected - assert.strictEqual(capturedArgs.options.env.REQUESTS_CA_BUNDLE, undefined); - assert.strictEqual(capturedArgs.options.env.SSL_CERT_FILE, undefined); - }); - - it("should not override user-provided --cert=", async () => { - const res = await runPip("pip3", ["install", "requests", "--cert=/tmp/user-ca.pem"]); - assert.strictEqual(res.status, 0); - - // Ensure args contain the inline --cert= and no extra --cert token - const hasInline = capturedArgs.args.some((a) => typeof a === "string" && a.startsWith("--cert=")); - assert.ok(hasInline, "should keep inline --cert="); - const injectedIndex = capturedArgs.args.indexOf("--cert"); - assert.strictEqual(injectedIndex, -1, "should not inject separate --cert when inline is provided"); - // No Python CA env overrides expected - assert.strictEqual(capturedArgs.options.env.REQUESTS_CA_BUNDLE, undefined); - assert.strictEqual(capturedArgs.options.env.SSL_CERT_FILE, undefined); - }); - - it("should inject --cert when explicit index is a known PyPI host", async () => { - const res = await runPip("pip3", ["install", "requests", "--index-url", "https://pypi.org/simple"]); - assert.strictEqual(res.status, 0); - const idx = capturedArgs.args.indexOf("--cert"); - assert.ok(idx >= 0, "--cert should be present for known registries"); - }); - - it("should NOT inject --cert when index points to an unknown external mirror (tunneled)", async () => { + it("should set CA environment variables even for external/test PyPI mirror (covers non-CLI traffic)", async () => { const res = await runPip("pip3", [ "install", "certifi", @@ -110,17 +73,41 @@ describe("runPipCommand --cert handling", () => { "https://test.pypi.org/simple", ]); assert.strictEqual(res.status, 0); - const idx = capturedArgs.args.indexOf("--cert"); - assert.strictEqual(idx, -1, "--cert should be omitted for tunneled external hosts"); + // Env vars should be set unconditionally + assert.strictEqual( + capturedArgs.options.env.REQUESTS_CA_BUNDLE, + "/tmp/test-combined-ca.pem" + ); + assert.strictEqual( + capturedArgs.options.env.SSL_CERT_FILE, + "/tmp/test-combined-ca.pem" + ); }); - it("should NOT inject --cert when installing from a direct external URL", async () => { - const res = await runPip("pip3", [ - "install", - "https://example.com/pkg-1.0.0-py3-none-any.whl", - ]); + it("should still set CA env vars for PyPI even with user --cert flag", async () => { + // For default PyPI, we still set env vars; pip CLI --cert takes precedence + const res = await runPip("pip3", ["install", "requests"]); assert.strictEqual(res.status, 0); - const idx = capturedArgs.args.indexOf("--cert"); - assert.strictEqual(idx, -1, "--cert should be omitted for direct external URLs"); + + // Environment variables still set (pip CLI --cert takes precedence) + assert.strictEqual( + capturedArgs.options.env.REQUESTS_CA_BUNDLE, + "/tmp/test-combined-ca.pem" + ); + assert.strictEqual( + capturedArgs.options.env.SSL_CERT_FILE, + "/tmp/test-combined-ca.pem" + ); + }); + + it("should preserve HTTPS_PROXY from proxy merge", async () => { + const res = await runPip("pip3", ["install", "requests"]); + assert.strictEqual(res.status, 0); + + assert.strictEqual( + capturedArgs.options.env.HTTPS_PROXY, + "http://localhost:8080", + "HTTPS_PROXY should be set by proxy merge" + ); }); }); diff --git a/packages/safe-chain/src/packagemanager/pip/utils/pipCaBundle.js b/packages/safe-chain/src/packagemanager/pip/utils/pipCaBundle.js new file mode 100644 index 0000000..984a8ea --- /dev/null +++ b/packages/safe-chain/src/packagemanager/pip/utils/pipCaBundle.js @@ -0,0 +1,90 @@ +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; +import certifi from "certifi"; +import tls from "node:tls"; +import { X509Certificate } from "node:crypto"; +import { getCaCertPath } from "../../../registryProxy/certUtils.js"; + +/** + * Check if a PEM string contains only parsable cert blocks. + */ +function isParsable(pem) { + if (!pem || typeof pem !== "string") return false; + const begin = "-----BEGIN CERTIFICATE-----"; + const end = "-----END CERTIFICATE-----"; + const blocks = []; + + let idx = 0; + while (idx < pem.length) { + const start = pem.indexOf(begin, idx); + if (start === -1) break; + const stop = pem.indexOf(end, start + begin.length); + if (stop === -1) break; + const blockEnd = stop + end.length; + blocks.push(pem.slice(start, blockEnd)); + idx = blockEnd; + } + + if (blocks.length === 0) return false; + try { + for (const b of blocks) { + // throw if invalid + new X509Certificate(b); + } + return true; + } catch { + return false; + } +} + +let cachedPath = null; + +/** + * Build a combined CA bundle specifically for pip flows. + * - Includes Safe Chain CA (for MITM of known registries) + * - Includes Mozilla roots via npm `certifi` (public HTTPS) + * - Includes Node's built-in root certificates as a portable fallback + * */ +export function getCombinedCaBundlePath() { + if (cachedPath && fs.existsSync(cachedPath)) return cachedPath; + + // Concatenate PEM files + const parts = []; + + // 1) Safe Chain CA (for MITM'd registries) + const safeChainPath = getCaCertPath(); + try { + const safeChainPem = fs.readFileSync(safeChainPath, "utf8"); + if (isParsable(safeChainPem)) parts.push(safeChainPem.trim()); + } catch { + // Ignore if Safe Chain CA is not available + } + + // 2) certifi (Mozilla CA bundle for all public HTTPS) + try { + const certifiPem = fs.readFileSync(certifi, "utf8"); + if (isParsable(certifiPem)) parts.push(certifiPem.trim()); + } catch { + // Ignore if certifi bundle is not available + } + + // 3) Node's built-in root certificates + try { + const nodeRoots = tls.rootCertificates; + if (Array.isArray(nodeRoots) && nodeRoots.length) { + for (const rootPem of nodeRoots) { + if (typeof rootPem !== "string") continue; + if (isParsable(rootPem)) parts.push(rootPem.trim()); + } + } + } catch { + // Ignore if unavailable + } + + const combined = parts.filter(Boolean).join("\n"); + const target = path.join(os.tmpdir(), "safe-chain-python-ca-bundle.pem"); + fs.writeFileSync(target, combined, { encoding: "utf8" }); + cachedPath = target; + return cachedPath; +} diff --git a/packages/safe-chain/src/packagemanager/pip/utils/pipCaBundle.spec.js b/packages/safe-chain/src/packagemanager/pip/utils/pipCaBundle.spec.js new file mode 100644 index 0000000..a88eeec --- /dev/null +++ b/packages/safe-chain/src/packagemanager/pip/utils/pipCaBundle.spec.js @@ -0,0 +1,71 @@ +import { describe, it, beforeEach, mock } from "node:test"; +import assert from "node:assert"; +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; +import tls from "node:tls"; + +// Utility to remove the generated bundle so the module rebuilds it on demand +function removeBundleIfExists() { + const target = path.join(os.tmpdir(), "safe-chain-python-ca-bundle.pem"); + try { + if (fs.existsSync(target)) fs.unlinkSync(target); + } catch { + // ignore + } +} + +describe("pipCaBundle.getCombinedCaBundlePath", () => { + beforeEach(() => { + mock.restoreAll(); + removeBundleIfExists(); + }); + + it("includes Safe Chain CA when parsable and produces a PEM bundle", async () => { + // Prepare a temporary Safe Chain CA file with a recognizable marker and a valid cert block + const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "pipcabundle-")); + const safeChainPath = path.join(tmpDir, "safechain-ca.pem"); + const marker = "# SAFE_CHAIN_TEST_MARKER"; + const rootPem = typeof tls.rootCertificates?.[0] === "string" ? tls.rootCertificates[0] : ""; + assert.ok(rootPem.includes("BEGIN CERTIFICATE"), "Environment lacks Node root certificates for test"); + fs.writeFileSync(safeChainPath, `${marker}\n${rootPem}`, "utf8"); + + // Mock the certUtils.getCaCertPath to return our temp file + mock.module("../../../registryProxy/certUtils.js", { + namedExports: { + getCaCertPath: () => safeChainPath, + }, + }); + + const { getCombinedCaBundlePath } = await import("./pipCaBundle.js"); + const bundlePath = getCombinedCaBundlePath(); + assert.ok(fs.existsSync(bundlePath), "Bundle path should exist"); + const contents = fs.readFileSync(bundlePath, "utf8"); + assert.match(contents, /-----BEGIN CERTIFICATE-----/); + assert.ok(contents.includes(marker), "Bundle should include Safe Chain CA content when parsable"); + }); + + it("ignores invalid Safe Chain CA but still builds from other sources", async () => { + // Write an invalid file (no cert blocks) + const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "pipcabundle-")); + const safeChainPath = path.join(tmpDir, "safechain-invalid.pem"); + const invalidMarker = "INVALID_SAFE_CHAIN_CONTENT"; + fs.writeFileSync(safeChainPath, invalidMarker, "utf8"); + + // Mock the certUtils.getCaCertPath to return our invalid file + mock.module("../../../registryProxy/certUtils.js", { + namedExports: { + getCaCertPath: () => safeChainPath, + }, + }); + + // Ensure fresh build + removeBundleIfExists(); + const { getCombinedCaBundlePath } = await import("./pipCaBundle.js"); + const bundlePath = getCombinedCaBundlePath(); + assert.ok(fs.existsSync(bundlePath), "Bundle path should exist"); + const contents = fs.readFileSync(bundlePath, "utf8"); + assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Bundle should contain certificate blocks from certifi/Node roots"); + assert.ok(!contents.includes(invalidMarker), "Bundle should not include invalid Safe Chain content"); + }); +}); diff --git a/packages/safe-chain/src/registryProxy/registryProxy.mitm.spec.js b/packages/safe-chain/src/registryProxy/registryProxy.mitm.spec.js index 72da0c6..df4332e 100644 --- a/packages/safe-chain/src/registryProxy/registryProxy.mitm.spec.js +++ b/packages/safe-chain/src/registryProxy/registryProxy.mitm.spec.js @@ -145,7 +145,7 @@ describe("registryProxy.mitm", () => { }); // --- Pip registry MITM and env var tests --- - it("should NOT set global Python CA environment variables", () => { + it("should NOT set Python CA environment variables in proxy merge (handled by runPipCommand)", () => { const envVars = mergeSafeChainProxyEnvironmentVariables([]); assert.strictEqual(envVars.PIP_CERT, undefined); assert.strictEqual(envVars.REQUESTS_CA_BUNDLE, undefined); diff --git a/test/e2e/pip.e2e.spec.js b/test/e2e/pip.e2e.spec.js index 153eca5..bdc5a14 100644 --- a/test/e2e/pip.e2e.spec.js +++ b/test/e2e/pip.e2e.spec.js @@ -193,7 +193,7 @@ describe("E2E: pip coverage", () => { ); }); - it(`pip3 can install from GitHub URL using system CAs`, async () => { + it(`pip3 can install from GitHub URL using the CA bundle`, async () => { const shell = await container.openShell("zsh"); // Install a simple package from GitHub - this should use TCP tunnel, not MITM // Using a popular, small package for testing @@ -204,10 +204,10 @@ describe("E2E: pip coverage", () => { `Output did not include expected text. Output was:\n${result.output}` ); - // Verify installation succeeded (would fail if certificate validation broke) + // Verify installation succeeded (would fail if certificate validation via env CA bundle broke) assert.ok( result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), - `Installation from GitHub failed - system CAs may not be working. Output was:\n${result.output}` + `Installation from GitHub failed - CA bundle may not be working. Output was:\n${result.output}` ); // Verify package was actually installed @@ -230,7 +230,7 @@ describe("E2E: pip coverage", () => { `Output did not include expected text. Output was:\n${result.output}` ); - // Verify successful installation (would fail with SSL/certificate errors if --cert wasn't working) + // Verify successful installation (would fail with SSL/certificate errors if the env CA bundle wasn't working) assert.ok( result.output.includes("Successfully installed"), `Installation should succeed with proper certificate validation. Output was:\n${result.output}` @@ -246,7 +246,7 @@ describe("E2E: pip coverage", () => { it(`pip3 handles external HTTPS correctly (e.g., downloading from CDN)`, async () => { const shell = await container.openShell("zsh"); // Test installing from a direct HTTPS URL (not a registry) - // This validates that non-registry HTTPS traffic works with system CAs + // This validates that non-registry HTTPS traffic works with our env-provided CA bundle const result = await shell.runCommand('pip3 install --break-system-packages https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl'); assert.ok( @@ -265,7 +265,7 @@ describe("E2E: pip coverage", () => { it(`pip3 can install from alternate PyPI mirror (tunneled, not MITM)`, async () => { const shell = await container.openShell("zsh"); // Use Tsinghua PyPI mirror which is NOT in knownPipRegistries - // This tests tunneled HTTPS with --cert containing only Safe Chain CA + // This tests tunneled HTTPS with our env-provided CA bundle (Safe Chain CA + Mozilla + Node roots) // If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED const result = await shell.runCommand('pip3 install --break-system-packages --index-url https://pypi.tuna.tsinghua.edu.cn/simple certifi'); @@ -277,7 +277,7 @@ describe("E2E: pip coverage", () => { // Should succeed if CA bundle properly handles tunneled hosts assert.ok( result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"), - `Installation from PyPI mirror failed. This may indicate --cert CA bundle lacks public roots. Output was:\n${result.output}` + `Installation from PyPI mirror failed. This may indicate the CA bundle lacks public roots. Output was:\n${result.output}` ); // Should NOT contain certificate verification errors