Does Poetry have an equivalent for the flag "--trusted-host" that is available on Pip?

Asked 25/11, 2021 at 0:27 Answered 5/3 at 17:36

python pip pypi python-poetry pyproject.toml

I wish to start using poetry on some projects at work, where I am stuck behind corporate filters that sometimes interfere with certs.

If I use pip, I can ignore SSL errors by doing something like the below:

$ pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org <package_name>

Does something like this exist for poetry, be it a command line argument or configuration values to be put into the lock file?

Mchenry answered 25/11, 2021 at 0:27 Comment(0)

If you have the certificate of the root CA that is being used by your corporate firewall to inject its "man-in-the-middle attack", you can configure a particular repository to accept that root CA in pyproject.toml:

poetry config certificates.foo.cert /path/to/ca.pem

You can accomplish the same thing on a more global level by adding your corporate firewall's root CA certificate to the trusted root CA list for openSSL, so that most tools will just trust anything signed by your corporate firewall. You've probably already done the equivalent for your browser, which maintains its own trust list. The exact way to do that varies by operating system, but here are some instructions for Ubuntu https://ubuntu.com/server/docs/security-trust-store.

Gyatt answered 15/5, 2022 at 18:23 Comment(0)

Luckily you can!

For packages on pypi.org, poetry has a source for this already. Run

poetry config certificates.PyPI.cert false

if you don't have/need/care about a pem file.

(Notice the capitalization of PyPI)

This will allow any package from pypi without certification, of course in place of false you can put the path of a pem file like this:

poetry config certificates.PyPI.cert /path/to/ca.pem

to do the same for pythonhosted.org, you'll have to add the source manually like this:

poetry source add pythonhosted https://files.pythonhosted.org

Here, pythonhosted was the name I chose, but this doesn't matter (so long as you don't overwrite anything if the name already exists, obviously).

Then, we point the cert for this source to what we want like we did above:

poetry config certificates.pythonhosted.org false

Run all of these at once with:

poetry config certificates.PyPI.cert false && poetry source add pythonhosted https://files.pythonhosted.org && poetry config certificates.pythonhosted.org false

and you should now be able to install packages with poetry without blockers.

Gabrielegabriell answered 5/3 at 17:36 Comment(5)

Is there a reason you advise turning off CA checks altogether, as opposed to verifying that the OP is getting the true/correct certificate of their corporate proxy? – Carbaugh 5/3 at 17:43

That's a great question, and if you have access to the certificates, I 100% recommend using those first. If it needs to work right this second, and the priority for proper CA checks and risk of skipping them is low, then turning them off does provide immediate access. But it should be something to escalate with your organization's cyber security team. – Gabrielegabriell 5/3 at 17:52

"If you have access to the certificates" -- how could you not? The proxy provides the certificate to the client during any request. openssl s_client -showcerts will dump it. Granted, that's the current certificate vs the intended certificate; could get the intended certificate out of the browser or OS cert store of a corporate system image, where the security team will have installed it. – Carbaugh 5/3 at 18:10

In your opinion, what is the easiest way to access the correct certificates, but you don't have openssl installed, and you're using windows 10 without admin access. – Gabrielegabriell 5/3 at 18:36

I'd need to have a Windows machine in front of me to write down exact steps -- and I don't, the systems at my desk are either NixOS or MacOS -- but if memory serves, you don't need admin access to read certificates from the system store; it's a click-around-in-the-GUI operation. (One does need admin access to modify the store, of course, but that's not what's called for here). – Carbaugh 5/3 at 18:44

Recommended topics

Hot tags