From 6d11e571d8cff7a7e8165ac77759b956b537edfa Mon Sep 17 00:00:00 2001
From: Nirbheek Chauhan <nirbheek@centricular.com>
Date: Thu, 13 Jul 2023 01:52:29 +0530
Subject: [PATCH] ci: Fix Python Windows Cert Store issue properly

Just import Mozilla's CA certs from certifi so that all root certs are
available. This fixes meson being unable to download any subproject
sources for caching.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5043>
---
 ci/docker/windows/prepare_gst_env.ps1 | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/ci/docker/windows/prepare_gst_env.ps1 b/ci/docker/windows/prepare_gst_env.ps1
index b741fce6e9..fd2f70840c 100644
--- a/ci/docker/windows/prepare_gst_env.ps1
+++ b/ci/docker/windows/prepare_gst_env.ps1
@@ -1,9 +1,18 @@
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
 
-# FIXME: Python fails to validate github.com SSL certificate, unless we first
-# run a dummy download to force refreshing Windows' CA database.
-# See: https://bugs.python.org/issue36137
-(New-Object System.Net.WebClient).DownloadString("https://github.com") >$null
+# FIXME: Python fails to validate SSL certificates because of an incorrect
+# schannel implementation. Windows downloads CA certs dynamically as required,
+# and Python doesn't do the right thing to trigger that. So, add Mozilla's
+# certs (via certifi) to the windows cert store manually. See:
+# https://bugs.python.org/issue36137
+# https://bugs.python.org/issue36011
+
+python -m pip install certifi
+$cert_pem = python -m certifi
+$plaintext_pw = 'PASSWORD'
+$secure_pw = ConvertTo-SecureString $plaintext_pw -AsPlainText -Force
+C:\msys64\ucrt64\bin\openssl.exe pkcs12 -export -nokeys -out $env:TEMP\certs.pfx -in $cert_pem -passout pass:$plaintext_pw
+Import-PfxCertificate -Password $secure_pw  -CertStoreLocation Cert:\LocalMachine\Root -FilePath $env:TEMP\certs.pfx
 
 Write-Host "Cloning GStreamer"
 git clone -b $env:DEFAULT_BRANCH https://gitlab.freedesktop.org/gstreamer/gstreamer.git C:\gstreamer
@@ -13,5 +22,5 @@ Write-Host "Downloading subprojects"
 meson subprojects download --sourcedir C:\gstreamer
 
 Write-Host "Caching subprojects into /subprojects/"
-python C:\gstreamer/ci/scripts/handle-subprojects-cache.py --build C:\gstreamer/subprojects/
+python C:/gstreamer/ci/scripts/handle-subprojects-cache.py --build C:/gstreamer/subprojects
 Remove-Item -Recurse -Force C:\gstreamer