Skip to main content

Verify certificates using native system trust stores

Project description

Truststore

PyPI CI

Truststore is a library which exposes native system certificate stores (ie "trust stores") through an ssl.SSLContext-like API. This means that Python applications no longer need to rely on certifi as a root certificate store. Native system certificate stores have many helpful features compared to a static certificate bundle like certifi:

  • Automatically update certificates as new CAs are created and removed
  • Fetch missing intermediate certificates
  • Check certificates against certificate revocation lists (CRLs) to avoid monster-in-the-middle (MITM) attacks
  • Managed per-system rather than per-application by a operations/IT team
  • PyPI is no longer a CA distribution channel 🥳

Right now truststore is a stand-alone library that can be installed globally in your application to immediately take advantage of the benefits in Python 3.10+. Truststore has also been integrated into pip 24.2+ as the default method for verifying HTTPS certificates (with a fallback to certifi).

Long-term the hope is to add this functionality into Python itself. Wish us luck!

Installation

Truststore is installed from PyPI with pip:

$ python -m pip install truststore

Truststore requires Python 3.10 or later and supports the following platforms:

User Guide

Warning PLEASE READ: inject_into_ssl() must not be used by libraries or packages as it will cause issues on import time when integrated with other libraries. Libraries and packages should instead use truststore.SSLContext directly which is detailed below.

The inject_into_ssl() function is intended only for use in applications and scripts.

You can inject truststore into the standard library ssl module so the functionality is used by every library by default. To do so use the truststore.inject_into_ssl() function:

import truststore
truststore.inject_into_ssl()

# Automatically works with urllib3, requests, aiohttp, and more:
import urllib3
http = urllib3.PoolManager()
resp = http.request("GET", "https://example.com")

import aiohttp
http = aiohttp.ClientSession()
resp = await http.request("GET", "https://example.com")

import requests
resp = requests.get("https://example.com")

If you'd like finer-grained control or you're developing a library or package you can create your own truststore.SSLContext instance and use it anywhere you'd use an ssl.SSLContext:

import ssl
import truststore

ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

import urllib3
http = urllib3.PoolManager(ssl_context=ctx)
resp = http.request("GET", "https://example.com")

You can read more in the user guide in the documentation.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

truststore-0.10.1.tar.gz (26.1 kB view details)

Uploaded Source

Built Distribution

truststore-0.10.1-py3-none-any.whl (18.5 kB view details)

Uploaded Python 3

File details

Details for the file truststore-0.10.1.tar.gz.

File metadata

  • Download URL: truststore-0.10.1.tar.gz
  • Upload date:
  • Size: 26.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.11.4

File hashes

Hashes for truststore-0.10.1.tar.gz
Algorithm Hash digest
SHA256 eda021616b59021812e800fa0a071e51b266721bef3ce092db8a699e21c63539
MD5 94759b92e1782acedc1394fd9a10f783
BLAKE2b-256 0fa7b7a43228762966a13598a404f3dfb4803ea29a906f449d8b0e73ed0bcd30

See more details on using hashes here.

File details

Details for the file truststore-0.10.1-py3-none-any.whl.

File metadata

  • Download URL: truststore-0.10.1-py3-none-any.whl
  • Upload date:
  • Size: 18.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.11.4

File hashes

Hashes for truststore-0.10.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b64e6025a409a43ebdd2807b0c41c8bff49ea7ae6550b5087ac6df6619352d4c
MD5 b668e192eb3f9e9d22184f4069bdda0d
BLAKE2b-256 bcdf8ad635bdcfa8214c399e5614f7c2121dced47defb755a85ea1fa702ffb1c

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page