From e7efe0e50df1bc876bde48d89147f6685a0e8543 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 18 Jul 2026 00:24:50 +1000 Subject: [PATCH] build: verify artifactapi TLS against the OS CA bundle The rpm-vendor skip-check probes artifactapi, which serves an internally-signed cert. Python requests uses certifi (Mozilla CAs) and so fails with CERTIFICATE_VERIFY_FAILED, defeating the skip (builds still proceed via the except path, but never skip). Point the artifactapi session at the OS CA bundle, which trusts the internal CA, with an ARTIFACTAPI_CA_BUNDLE override. --- tools/build | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/build b/tools/build index e40cb0d..f2acfec 100755 --- a/tools/build +++ b/tools/build @@ -64,6 +64,15 @@ def _make_session(retries: int = 3, backoff_factor: float = 0.5) -> requests.Ses _gitea_session = _make_session() _github_session = _make_session() _artifactapi_session = _make_session() +# artifactapi serves an internally-signed TLS cert. Verify against the OS CA +# bundle (which includes the internal CA, as dnf/curl in the builder images do) +# rather than certifi's Mozilla bundle, which does not trust it. +_artifactapi_session.verify = os.getenv('ARTIFACTAPI_CA_BUNDLE') or next( + (p for p in ('/etc/pki/tls/certs/ca-bundle.crt', + '/etc/ssl/certs/ca-certificates.crt') + if os.path.exists(p)), + True, +) # ==================== VALIDATION SCHEMA ====================