How do I tell pyinstaller to use python-certifi-win32 with --onefile option

Asked 2/6, 2021 at 11:8 Answered 23/9, 2024 at 14:39

I have a small scirpt which is using the tableau rest api to download data from tableau views. As the script is running in a corporate environment, I have to use SSL. That's where the python-certifi-win32 package comes into play. Installing the package with pip install python-certifi-win32 patches the certifi package to use the local machine certificate store. From the documentation:

This package patches certifi at runtime to also include certificates from the windows certificate store.

This works perfectly fine when I run the script from source, but if I create an executable using pyinstaller (with the --onefile option), the "patch at runtime" does not seem to happen and I get a "local certificate could not be validated" error, which is the same that I got before installing the python-certifi-win32 package.

As I am fairly new to Python, I could not figure out how exactly the python-certifi-win32 package does the "patch at runtime". I already tried with the --hidden-import option but that did not work.

Any suggestion how to tell pyinstaller (or my script) to apply the "python-certifi-win32 magic" when called as executable?

Economize answered 2/6, 2021 at 11:8 Comment(1)

python-certifi-win32 has been replaced by pip-system-certs. – Lieabed 21/7, 2022 at 18:3

You won't need to mess with hidden imports, but you will need to import the library itself.

The package loses some of its auto-magic when executing in PyInstaller's runtime setup. Resolving this depends on where you need the winstore certs, but this is what I do to get it working where I need it for requests:

if sys.platform == 'win32':
    import certifi_win32
    os.environ['REQUESTS_CA_BUNDLE'] = certifi_win32.wincerts.where()
    certifi_win32.generate_pem()

Setting REQUESTS_CA_BUNDLE will point requests to use the store that certifi_win32 creates. the generate_pem function will union the certificate bundle that is shipped with PyInstaller (located in <MEIPASS>\certifi) and the wincert store. The resulting pem file is written to %LOCALAPPDATA%/.certifi/cacert.pem.

Costrel answered 23/10, 2021 at 17:4 Comment(0)

for pip-system-certs and pyinstaller, use the following:

import pip_system_certs.wrapt_requests

see https://pypi.org/project/pip-system-certs

Explanation (copied from the above link):

The method used to automatically enable the cert handling in requests/pip/etc relies on a .pth file script that python loads at startup. This method does not work when a python application is bundled into an executable with PyInstaller (or similar).

If you want to use this tool in an application built with PyInstaller it will need to be manually enabled in your application.

This can be done by adding the following line to the top of your main application script:
import pip_system_certs.wrapt_requests
This must be run before requests is imported.

Tutty answered 23/9, 2024 at 14:39 Comment(3)

Please add an explanation! If the link breaks one day, your answer becomes useless. – Likewise 24/9, 2024 at 8:36

explanation added – Tutty 24/9, 2024 at 13:13

Thank you! I just edited your answer to properly format the quote and code. You can do that yourself next time. If you click "edit" (without actually editing), you can see how. – Likewise 24/9, 2024 at 14:12

Recommended topics

Hot tags