Ignore:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • postlfs/security/make-ca.xml

    r24aff8a9 rc478431  
    77  <!ENTITY certhost              "https://hg.mozilla.org/">
    88  <!ENTITY certpath              "/lib/ckfw/builtins/certdata.txt">
    9   <!ENTITY make-ca-buildsize     "6.6 MB (with all runtime deps)">
     9  <!ENTITY make-ca-buildsize     "6.9 MB (with all runtime deps)">
    1010  <!ENTITY make-ca-time          "0.1 SBU (with all runtime deps)">
    1111
    1212  <!ENTITY make-ca-download      "https://github.com/lfs-book/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
    13   <!ENTITY make-ca-size          "30 KB">
    14   <!ENTITY make-ca-md5sum        "68c8625c9456815ed17e4f2219c79372">
     13  <!ENTITY make-ca-size          "36 KB">
     14  <!ENTITY make-ca-md5sum        "67e0b911e73a859fc326171c5153d455">
    1515]>
    1616
     
    1818  <?dbhtml filename="make-ca.html"?>
    1919
    20   <sect1info>
    21     <date>$Date$</date>
    22   </sect1info>
    2320
    2421  <title>make-ca-&make-ca-version;</title>
     
    5249    </para>
    5350
    54   &lfs110a_checked;
     51    &lfs112_checked;
    5552
    5653    <bridgehead renderas="sect3">Package Information</bridgehead>
     
    138135      <para>
    139136        If running the script a second time with the same version of
    140         <filename>certdata.txt</filename>, for instance, to add additional
    141         stores as the requisite software is installed, add the
    142         <parameter>-r</parameter> switch to the command line. If packaging,
     137        <filename>certdata.txt</filename>, for instance, to update the
     138        stores when <application>make-ca</application> is upgraded, or to
     139        add additional stores as the requisite software is installed,
     140        replace the <parameter>-g</parameter> switch with the
     141        <parameter>-r</parameter> switch in the command line. If packaging,
    143142        run <command>make-ca --help</command> to see all available command
    144143        line options.
     
    185184      version included in <xref linkend="nss"/>. Additional upstream downloads
    186185      are available at the links included in
    187       <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to
     186      <filename>/etc/make-ca/make-ca.conf.dist</filename>. Simply copy the
     187      file to
    188188      <filename>/etc/make-ca.conf</filename> and edit as appropriate.
    189189    </para>
     
    276276  </sect2>
    277277
     278  <sect2 role="configuration" id="make-ca-python">
     279    <title>Using make-ca with Python3</title>
     280
     281    <para>
     282      When <application>Python3</application> was installed in LFS it included
     283      the <application>pip3</application> module with vendored certificates
     284      from the <application>Certifi</application> module. That was necessary,
     285      but it means that whenever <command>pip3</command> is used it can reference
     286      those certificates, primarily when creating a virtual environment or when
     287      installing a module with all its wheel dependencies in one go.
     288    </para>
     289
     290    <para>
     291      It is generally considered that the System Administrator should be in
     292      charge of which certificates are available. Now that <xref
     293      linkend="make-ca"/> and <xref linkend="p11-kit"/> have been installed and
     294      <application>make-ca</application> has been configured, it is possible to
     295      make <command>pip3</command> use the system certificates.
     296    </para>
     297
     298    <para>
     299      The vendored certificates installed in LFS are a snapshot from when the
     300      pulled-in version of <application>Certifi</application> was created. If
     301      you regularly update the system certificates, the vendored version will
     302      become out of date.
     303    </para>
     304
     305    <para>
     306      To use the system certificates in <application>Python3</application> you
     307      should set <envar>_PIP_STANDALONE_CERT</envar> to point to them, e.g for
     308      the <application>bash</application> shell:
     309    </para>
     310
     311<screen><userinput>export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt</userinput></screen>
     312
     313    <warning>
     314      <para>
     315        If you have created virtual environments, for example when testing modules,
     316        and those include the <application>Requests</application> and
     317        <application>Certifi</application> modules in <filename
     318        class="directory">~/.local/lib/python3.11/</filename> then those local
     319        modules will be used instead of the system certificates unless you
     320        remove the local modules.
     321      </para>
     322    </warning>
     323
     324    <para>
     325      To use the system certificates in <application>Python3</application> with
     326      the BLFS profiles add the following variable to your system or personal
     327      profiles:
     328    </para>
     329
     330<screen role="root"><userinput>mkdir -pv /etc/profile.d &amp;&amp;
     331cat &gt; /etc/profile.d/pythoncerts.sh &lt;&lt; "EOF"
     332<literal># Begin /etc/profile.d/pythoncerts.sh
     333
     334export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt
     335
     336# End /etc/profile.d/pythoncerts.sh</literal>
     337EOF</userinput></screen>
     338
     339  </sect2>
     340
    278341  <sect2 role="content">
    279342    <title>Contents</title>
Note: See TracChangeset for help on using the changeset viewer.