classification
Title: Mac OSX Installer SSL Roots
Type: behavior Stage: resolved
Components: Installation, macOS Versions: Python 3.8, Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Tommy.Carstensen, christian.heimes, ned.deily, r.david.murray, rahvee, rhettinger, ronaldoussoren
Priority: normal Keywords:

Created on 2017-02-08 11:30 by rahvee, last changed 2018-02-28 07:19 by ned.deily. This issue is now closed.

Messages (6)
msg287302 - (view) Author: Edward Ned Harvey (rahvee) Date: 2017-02-08 11:30
I would like to suggest that the OSX installer automatically run "Install Certificates.command", or display a prompt to users saying "Run Now" during installation.

Having the readme is helpful - but only after you google for 20 minutes, because of an exception you encountered. Of course nobody reads the readme during install. "I've installed python a thousand times before, I know what I'm doing."

There are so many things that require SSL, and it's reasonably assumed to be functional by default.
msg287311 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2017-02-08 12:27
I thought there was an open issue for using the Apple cert mechanisms natively, but I can't find it.  Adding the OSX people to nosy.
msg312224 - (view) Author: Tommy Carstensen (Tommy.Carstensen) Date: 2018-02-16 01:21
I can't user requests, urllib, pandas.read_html(), etc. because of this. I don't have root access / sudo rights. I've tried downloading OpenSSL from openssl.org and then installing with:
 `./config --prefix=/my/home/dir ; make ; make install`

Then I tried installing Python with:
 `export CFLAGS="-I/my/home/dir/include" ; export LDFLAGS="-L/my/home/dir/lib" ; ./configure prefix=/my/home/dir ; make ; make install`

But it doesn't work. How can I install Python3.6 without root access / admin rights? Thanks!
msg312227 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2018-02-16 05:07
> I would like to suggest that the OSX installer automatically run "Install Certificates.command", or display a prompt to users saying "Run Now" during installation.

+1 This would be really helpful.  I occasionally get entire rooms full of Mac users with a fresh install of Python 3.6 who immediately get stuck with something as simple as:

   urllib.request.urlopen('http://www.python.org').read()

The error messages that pop up are decidedly unhelpful.  This is especially mystifying because the original request uses "http" and the site itself redirects to "https".
msg313050 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-02-28 07:01
Tommy, you should ask your question elsewhere, like on Stackoverflow or on the Python mailing list.  It does not seem related to this issue at all or to indicate a problem with Python itself. (For the record, the Python Developer's Guide has some good tips on how to build Python for macOS and other platforms; see https://devguide.python.org/setup/#build-dependencies)
msg313052 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-02-28 07:19
Thanks for your suggestions.  I agree that the Root Certificates and OpenSSL situation on macOS is still less than desirable.  For 3.7.0b2, I have tried to make things more obvious in two ways.  One, the installer package will now attempt to open a Finder window for the /Application/Python 3.7 folder that contains the "Install Certificates.command".  Two, rather than just a generic "installation complete" message at the end of the install, there is now a tailored message that urges the user to click on the "Install Certificates.command" icon. I considered trying to run the command automatically from the installer but that gets a bit messy: 1. it requires a network connection; 2. the installer would need to ensure the installation takes place with the right user and group permission and not just as root; 3. the user might not want to use certifi; and 4. the solution needs to work across all macOS versions supported by the installer variant.  Also, it appears the installer doesn't allow command files to be executed by clicking on a link in the installer window, a prudent security measure.  While not perfect, I think what's now in 3.7.0b2 should be an improvement, at least it will be much harder to overlook without being too obnoxious about it.
History
Date User Action Args
2018-02-28 07:19:10ned.deilysetstatus: open -> closed
versions: + Python 3.8, - Python 3.6
messages: + msg313052

resolution: fixed
stage: resolved
2018-02-28 07:01:39ned.deilysetmessages: + msg313050
2018-02-16 05:07:52rhettingersetnosy: + rhettinger
messages: + msg312227
2018-02-16 01:21:31Tommy.Carstensensetnosy: + Tommy.Carstensen
messages: + msg312224
2017-02-09 12:01:58christian.heimessetnosy: + christian.heimes
2017-02-08 12:27:20r.david.murraysetversions: + Python 3.7
nosy: + r.david.murray, ronaldoussoren, ned.deily

messages: + msg287311

components: + macOS
2017-02-08 11:30:42rahveecreate