fix: Resolve ca-certificates installed in the local environment (#4101)

jjerphan · web-flow · commit 4a43769c0970 · 2025-12-02T15:52:27.000+01:00
Signed-off-by: Julien Jerphanion &lt;git@jjerphan.xyz&gt;
diff --git a/libmamba/src/download/downloader.cpp b/libmamba/src/download/downloader.cpp
@@ -8,6 +8,7 @@
 #include "mamba/core/invoke.hpp"
 #include "mamba/core/thread_utils.hpp"
 #include "mamba/core/util.hpp"
+#include "mamba/core/util_os.hpp"
 #include "mamba/core/util_scope.hpp"
 #include "mamba/download/downloader.hpp"
 #include "mamba/util/build.hpp"
@@ -84,23 +85,60 @@ namespace mamba::download
                 // from `conda-forge::ca-certificates` and the system CA certificates.
                 else if (remote_fetch_params.ssl_verify == "<system>")
                 {
-                    // Use the CA certificates from `conda-forge::ca-certificates` installed in the
-                    // root prefix or the system CA certificates if the certificate is not present.
-                    fs::u8path root_prefix = detail::get_root_prefix();
-                    fs::u8path env_prefix_conda_cert = root_prefix / "ssl" / "cacert.pem";
-
-                    LOG_INFO << "Checking for CA certificates at the root prefix: "
+                    // See the location of the CA certificates as distributed by
+                    // `conda-forge::ca-certificates`:
+                    // https://github.com/conda-forge/ca-certificates-feedstock/blob/main/recipe/meta.yaml#L25-L29
+                    const fs::u8path prefix_relative_conda_cert_path = (util::on_win ? fs::u8path("Library") / "ssl" / "cacert.pem" : fs::u8path("ssl") / "cert.pem");
+
+                    const fs::u8path executable_path = get_self_exe_path();
+
+                    // Find the environment prefix using the path of the `mamba` or `micromamba`
+                    // executable (we cannot assume the existence of an environment variable or
+                    // etc.).
+                    //
+                    // `mamba` or `micromamba` is installed at:
+                    //
+                    //    - `${PREFIX}/bin/{mamba,micromamba}` on Unix
+                    //    - `${PREFIX}/Library/bin/{mamba,micromamba}.exe` on Windows
+                    //
+                    const fs::u8path env_prefix
+                        = (util::on_win ? executable_path.parent_path().parent_path().parent_path()
+                                        : executable_path.parent_path().parent_path());
+
+                    const fs::u8path env_prefix_conda_cert = env_prefix
+                                                             / prefix_relative_conda_cert_path;
+
+                    LOG_INFO << "Checking for CA certificates in the same prefix as the executable installation: "
                              << env_prefix_conda_cert;
 
                     if (fs::exists(env_prefix_conda_cert))
                     {
-                        LOG_INFO << "Using CA certificates from `conda-forge::ca-certificates` installed in the root prefix "
-                                 << "(i.e " << env_prefix_conda_cert << ")";
+                        LOG_INFO << "Using CA certificates from `conda-forge::ca-certificates` installed in the same prefix "
+                                 << "as the executable installation (i.e " << env_prefix_conda_cert
+                                 << ")";
                         remote_fetch_params.ssl_verify = env_prefix_conda_cert;
                         remote_fetch_params.curl_initialized = true;
                         return;
                     }
 
+                    // Try to use the CA certificates from `conda-forge::ca-certificates` installed
+                    // in the root prefix.
+                    const fs::u8path root_prefix = detail::get_root_prefix();
+                    const fs::u8path root_prefix_conda_cert = root_prefix
+                                                              / prefix_relative_conda_cert_path;
+
+                    LOG_INFO << "Checking for CA certificates at the root prefix: "
+                             << root_prefix_conda_cert;
+
+                    if (fs::exists(root_prefix_conda_cert))
+                    {
+                        LOG_INFO << "Using CA certificates from `conda-forge::ca-certificates` installed in the root prefix "
+                                 << "(i.e " << root_prefix_conda_cert << ")";
+                        remote_fetch_params.ssl_verify = root_prefix_conda_cert;
+                        remote_fetch_params.curl_initialized = true;
+                        return;
+                    }
+
                     // Fallback on system CA certificates.
                     bool found = false;
 
diff --git a/micromamba/tests/test_env.py b/micromamba/tests/test_env.py
@@ -1,6 +1,8 @@
 import os
 import re
 import shutil
+import subprocess
+import platform
 
 from packaging.version import Version
 from pathlib import Path
@@ -624,3 +626,44 @@ def test_env_export_with_uv_flag(tmp_home, tmp_root_prefix, tmp_path, json_flag)
     # Check that `requests` and `urllib3` (pulled dependency) are exported
     assert "requests==2.32.3" in pip_section_vals
     assert any(pkg.startswith("urllib3==") for pkg in pip_section_vals)
+
+
+def test_env_export_with_ca_certificates(tmp_path):
+    # CA certificates in the same environment as `mamba` or `micromamba`
+    # executable installation are used by default.
+    tmp_env_prefix = tmp_path / "env-export-with-ca-certificates"
+
+    helpers.create("-p", tmp_env_prefix, "ca-certificates", no_dry_run=True)
+
+    # Copy the `mamba` or `micromamba` executable in this prefix `bin` subdirectory
+    built_executable = helpers.get_umamba()
+    executable_basename = os.path.basename(built_executable)
+
+    if platform.system() == "Windows":
+        tmp_env_bin_dir = tmp_env_prefix / "Library" / "bin"
+        tmp_env_executable = tmp_env_bin_dir / executable_basename
+        (tmp_env_bin_dir).mkdir(parents=True, exist_ok=True)
+        # Copy all the `Library/bin/` subdirectory to have the executable in
+        # the environment and the DLLs in the environment.
+        shutil.copytree(Path(built_executable).parent, tmp_env_bin_dir, dirs_exist_ok=True)
+    else:
+        tmp_env_bin_dir = tmp_env_prefix / "bin"
+        tmp_env_executable = tmp_env_bin_dir / executable_basename
+        (tmp_env_bin_dir).mkdir(parents=True, exist_ok=True)
+        shutil.copy(built_executable, tmp_env_executable)
+
+    # Run a command using mamba in verbose mode and check that the ca-certificates file
+    # from the same prefix as the executable is used by default.
+    p = subprocess.run(
+        [tmp_env_executable, "search", "xtensor", "-v"],
+        capture_output=True,
+        check=False,
+    )
+    stderr = p.stderr.decode()
+    assert (
+        "Checking for CA certificates in the same prefix as the executable installation" in stderr
+    )
+    assert (
+        "Using CA certificates from `conda-forge::ca-certificates` installed in the same prefix"
+        in stderr
+    )
