Python 3.5 setup fails with an invalid certificate when running pip about setup-python HOT 9 CLOSED

@andy-maier I believe you can use this "temporary fix" (using PIP_TRUSTED_HOST env variable) to bump pip and avoid this error

  - uses: actions/setup-python@v5
    with:
      python-version: 3.5
    env:
      PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"

Found it here https://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi

from setup-python.

Since the point of the action is to install various versions of Python, end-of-life or not, you need to apply this workaround for the affected versions within the action itself.

from setup-python.

I agree, but adding these environment variables effectively ignores any SSL error, including MITM certificate mismatches.

I feel like a INSECURE_EOL_VERSION_OK: 1 (or similar) would be a better environment variable, explicitly acknowledging that EOL versions with security incompatibilities will be vulnerable to attacks, and that developers are okay with that (or have other security mitigations)

from setup-python.

I'm also able to reproduce this behavior in a self-hosted environment.

from setup-python.

Hello @andy-maier, Thank you for creating this issue and we will look into it :)

from setup-python.

The Python 3.4.4 Windows MSI installation is also affected and also responds to the PIP_TRUSTED_HOST work-around. This is minimally documented at https://pip.pypa.io/en/latest/cli/pip/:

--trusted-host <hostname>

    Mark this host or host:port pair as trusted, even though it does not have valid or any HTTPS.

    (environment variable: PIP_TRUSTED_HOST)

Presumably pypi.org has reconfigured its servers with some new web-breaking security option so that older SSL implementations can't verify its certificate? If so the "temporary" work-around may be wrongly described.

from setup-python.

@joamag
Hello João. Thank you very much for this workaround!!
I can confirm that it works for us.

from setup-python.

Hello everyone 👋,

This issue seems to be related to the inability of older versions of Python and pip to verify the SSL certificate provided by PyPI servers, likely due to recent updates in PyPI's SSL setup.
Notably, Python 3.5 has reached its end of life and may not be able to verify the new certificate due to compatibility issues.
However, please note that this problem doesn't directly fall within the scope of the 'actions/setup-python' repository, as it's more related to Python's interaction with PyPI, not the setup process itself.
A potential solution could be to upgrade to a newer versions of Python. If upgrading Python isn't feasible, please consider implementing the below workaround as suggested by @joamag .

- uses: actions/setup-python@v5
  with:
    python-version: 3.5
  env:
    PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
 

If you have any concerns feel free to ping us. Thank you for your understanding and cooperation:)

from setup-python.

Thank you for your suggestions. Unfortunately, it's not feasible for us to incorporate the proposed changes directly into the setup-python action. For users operating with EOL Python versions, we kindly recommend implementing the proposed workaround within your respective workflows. For optimal security, please consider upgrading to a supported Python version.
@andy-maier👋, as the issue appears to have been resolved with the suggested workaround, we are proceeding with closing the issue and appreciate your understanding and cooperation:)
Please feel free to reach us out incase of any other concerns.

from setup-python.