07-10-2019, 09:54 AM | #226 |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
I have added a new python3 module "certifi" to the Python 3.7 framework builds to work around the missing network certificate. This change has been pushed to master. The fix for this mac specific ssl issue will appear in the next release.
Thanks for your bug report. |
07-10-2019, 01:39 PM | #227 |
just an egg
Posts: 1,586
Karma: 4300000
Join Date: Mar 2015
Device: Kindle, iOS
|
KevinH and Doitsu!
|
Advert | |
|
07-21-2019, 01:30 AM | #228 | |
just an egg
Posts: 1,586
Karma: 4300000
Join Date: Mar 2015
Device: Kindle, iOS
|
Sadly, when I tested a clean install of the plugin on 0.9.16, I got the same error:
Code:
*** PYTHON ERROR *** SSL version: OpenSSL 1.1.1c-dev xx XXX xxxx An exception of type URLError occurred. Arguments: (SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)'),) Quote:
|
|
07-21-2019, 01:56 AM | #229 | |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
That problem really should not be happening anymore. I have compiled in a static copy of full openSSL library and added the certfi module to provide the certificates.
I will try on another mac machine I have to see what is going on here. Sorry about that. Kevin Quote:
|
|
07-21-2019, 09:18 AM | #230 |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
Okay, It seems the python 3.6 and later devs for macOs are complete brainless morons. Their "solution" given here:
https://github.com/python/python/blo...icates.command is to have the user post process its python executable after installation to use symlinks to trick its ssl.c source code of its ssl module to load the certificates from certfi and then removing the true openssl certificares from where they were installed by openssl. All of this only works if you always install openssl in the same place, and only install python in the same place - not relocatable and embedded like Sigil uses it, and of course means you then break any code signing of Sigil when you run it. This is a complete joke for being an official solution. It simply will not work for us at all. Not sure why Python just does not use its own internal openssl build as they do on other platforms. It is a horrible hack and not a solution at all. Not sure how and even if there is a fix for us that does not require the user to build and install openssl 1.1.1 on their own mac. KevinH |
Advert | |
|
07-21-2019, 10:37 AM | #231 |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
Yes, confirmed. Python's trick is to remove the official openssl /usr/local/ssl/cert.pem file and replace it with a hard symlink to the version installed with certifi potentially breaking all other apps that need or use openssl.
Just horrible. |
07-21-2019, 10:39 AM | #232 |
Grand Sorcerer
Posts: 27,549
Karma: 193191846
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
|
Ouch. That sounds like that limits a plugin from even checking a file on https servers for update availability in general. Not just this plugin. Another thing to consider: I moved Sigil's update checker routines to embedded python calls quite a while ago. You may want to check if that's going to be a problem (or IS a problem now) on Macs.
|
07-21-2019, 11:14 AM | #233 | |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
Yes that is something I will definitely check. Qt does have routines to handle this and we even use them in places in the Sigil source. Perhaps for safety sake we could go back to using Qt's version of handling the update requests just for Sigil?
Quote:
|
|
07-21-2019, 11:25 AM | #234 | |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
Odamizu,
Are you okay using the command line (Terminal.app) and if so would you be willing to try the following for me. This assumes you have installed version 0.9.16 in Sigil.app in /Applications. If not we will have to modify the commands: 1. First fire up Terminal.app and check to see if you have a /usr/local/ssl directory Code:
ls /usr/local/ssl Code:
cd /usr/local sudo mkdir ssl Code:
cd /Applications/Sigil.app/Contents/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/certifi/ ls Code:
sudo cp cacert.pem /usr/local/ssl/cert.pem Does this fix the issue? Thanks, KevinH Quote:
|
|
07-21-2019, 11:36 AM | #235 |
creator of calibre
Posts: 43,856
Karma: 22666666
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
Dont use cerifi. Instead include the certificates .pem file in the Sigil bundle and set the SSL_CERT_FIlE env var in Info.plist to point to it. Like this:
SSL_CERT_FILE='@executable_path/../Resources/resources/mozilla-ca-certs.pem' |
07-21-2019, 11:38 AM | #236 | |
Grand Sorcerer
Posts: 27,549
Karma: 193191846
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
|
Quote:
That won't help plugin devs look up https urls with plugins on macs, though. EDIT: Ooh... I hope Kovid's proposal works out for mac plugins in general, though! (not that we still can't move Sigil's update checker back to Qt). Last edited by DiapDealer; 07-21-2019 at 11:40 AM. |
|
07-21-2019, 12:05 PM | #237 |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
Thanks Kovid! We will have to fix this with a new release.
That said, as a simpler workaround right now based on Kovid's approach, just adding an the following environment variable should then work since we can use the certifi certificate that is in this release until we add our own and change Info.plist and add the mozilla cert. Code:
export SSL_CERT_FILE="/Applications/Sigil.app/Contents/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/certifi/cacert.pem" Also, another workaround could be to do this upfront in the plugin code using info the the python path to extract the correct path to the certificate no matter where the user install Sigil.app on a mac. |
07-21-2019, 12:31 PM | #238 | |
Grand Sorcerer
Posts: 27,549
Karma: 193191846
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
|
Quote:
We could also insert this new one in the same place in PluginRunnner.cpp (for the next release), since the env var really only needs to exist for the python process and not Sigil in general. |
|
07-21-2019, 12:55 PM | #239 |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
Yes, that way we could keep the certifi package just to get an up to date ceritificate that will always be stored in site-packages and then get the current app location and build the proper environment var to be included just before launching the plugin.
I would guess most people install Sigil.app into /Applications but I run it from all over the place and have about 5 versions of it on my machine, so I want to build up the path to the Python.framework inside Sigil.app dynamically at runtime and then export it. |
07-21-2019, 01:31 PM | #240 |
Sigil Developer
Posts: 7,644
Karma: 5433388
Join Date: Nov 2009
Device: many
|
I am testing the version with PluginRunner setting the correct path to the site-packages/certifi/cacert.pem and exporting it as SSL_CERT_FILE. If that works, I can make a new release just for macOS to replace the current binary.
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[Plugin] PunctuationSmarten Sigil plugin | DiapDealer | Plugins | 138 | 07-11-2023 11:22 AM |
[Plugin] KindleImport Sigil plugin | DiapDealer | Plugins | 187 | 07-04-2022 10:11 AM |
Sigil Plugin Index | Thasaidon | Plugins | 0 | 10-04-2014 07:41 AM |
FC and Sigil 0.5.3 ePUBcheck failure | Hitch | Sigil | 32 | 04-17-2012 02:56 AM |
Web-based epubcheck upgraded to epubcheck 1.0.5 | kjk | ePub | 4 | 02-09-2010 09:53 PM |