Skip to content

Latest commit

 

History

History
53 lines (40 loc) · 2.14 KB

README.md

File metadata and controls

53 lines (40 loc) · 2.14 KB

Certifi cert-tools

This repository contains the tooling used to generate the certifi certificate bundle. Some of these tools are useful generally: others are only useful in the context of the certifi project.

The following tools are included:

  • update-certify.py: A script that automatically updates the official certifi releases.

The Tools

$ update-certify.py

This script is used to update the certifi libraries in their various languages to the newest certificates. It is run in response to a change in the certificate bundle used by certifi.

This tool functions by checking out the GitHub repositories containing the certifi libraries and updating them according to their specific invoke scripts. This causes these libraries to push new releases to their relevant package managers.

For obvious reasons, this can only be run by people with access to the certifi repositories.

$ tasks.py

This provides a series of tasks for use with invoke. It requires that extract-nss-root-certs is somewhere on your $PATH. You can run three commands:

  1. inv generate. This task generates a cacerts.pem file in the local directory. This takes a single argument, filename, that can be used to set a different filename, eg. --filename="test.pem"
  2. inv diff. This task diffs cacerts.pem against the latest uploaded .pem file, and prints whether the two are different. This takes two optional arguments: --filename, which works as above; and --gen, which runs the generate step before diffing.
  3. inv upload. This task uploads the new .pem file to the configured S3 bucket.

$ extract-nss-root-certs

This tool converts the Mozilla certificate file into a *.pem file that excludes all untrusted certificates. The tool is not included in this repository, as it's written in Go: it can be found here. Rather than building this code yourself, you can download a binary from here. This avoids the need for a Go compiler.