feat(networking): support system truststore for ssl trust chain [no:ci] (#92)

helmut-hoffer-von-ankershoffen · web-flow · commit e0a45658d2be · 2025-08-17T14:08:30.000+02:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -99,7 +99,7 @@ dependencies = [
     "platformdirs>=4.3.8",
     "boto3>=1.40.11",
     "certifi>=2025.8.3",
-    "dicom-validator>=0.7.1",
+    "dicom-validator>=0.7.2",
     "dicomweb-client[gcp]>=0.59.2",
     "duckdb>=0.10.0,<=1.4.0",
     "fastparquet>=2024.11.0",
@@ -126,6 +126,7 @@ dependencies = [
     "tqdm>=4.67.1",
     "urllib3>=2.5.0",
     "wsidicom>=0.27.1",
+    "truststore>=0.10.4",
 ]
 
 [project.optional-dependencies]
diff --git a/src/aignostics/system/_service.py b/src/aignostics/system/_service.py
@@ -4,6 +4,7 @@
 import os
 import platform
 import re
+import ssl
 import sys
 import typing as t
 from http import HTTPStatus
@@ -333,6 +334,9 @@ def info(include_environ: bool = False, mask_secrets: bool = True) -> dict[str,
                         "public_ipv4": Service._get_public_ipv4(),
                         "proxies": getproxies(),
                         "requests_ca_bundle": os.getenv("REQUESTS_CA_BUNDLE"),
+                        "ssl_cert_file": os.getenv("SSL_CERT_FILE"),
+                        "ssl_cert_dir": os.getenv("SSL_CERT_DIR"),
+                        "ssl_default_verify_paths": ssl.get_default_verify_paths()._asdict(),
                     },
                     "uptime": {
                         "seconds": uptime(),
diff --git a/src/aignostics/utils/boot.py b/src/aignostics/utils/boot.py
@@ -6,13 +6,12 @@
 from pathlib import Path
 
 import certifi
+import truststore
 
 from ._log import logging_initialize
 
 _boot_called = False
 
-if ssl.get_default_verify_paths().cafile is None and os.environ.get("SSL_CERT_FILE") is None:
-    os.environ["SSL_CERT_FILE"] = certifi.where()
 
 # Import third party dependencies
 third_party_dir = Path(__file__).parent.absolute() / ".." / "third_party"
@@ -33,6 +32,11 @@ def boot(modules_to_instrument: list[str]) -> None:
         return
     _boot_called = True
 
+    truststore.inject_into_ssl()
+
+    if ssl.get_default_verify_paths().cafile is None and os.environ.get("SSL_CERT_FILE") is None:
+        os.environ["SSL_CERT_FILE"] = certifi.where()
+
     from ._sentry import sentry_initialize  # noqa: PLC0415
 
     sentry_initialize()
diff --git a/uv.lock b/uv.lock
