diff --git a/tools/idf_tools.py b/tools/idf_tools.py index 8a17ed224d..7b8a314f23 100755 --- a/tools/idf_tools.py +++ b/tools/idf_tools.py @@ -199,8 +199,8 @@ CURRENT_PLATFORM = Platforms.get(PYTHON_PLATFORM) EXPORT_SHELL = 'shell' EXPORT_KEY_VALUE = 'key-value' -# "DigiCert Global Root CA" -DIGICERT_ROOT_CERT = u""" +# the older "DigiCert Global Root CA" certificate used with github.com +DIGICERT_ROOT_CA_CERT = """ -----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 @@ -225,6 +225,35 @@ CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE----- """ +# the newer "DigiCert Global Root G2" certificate used with dl.espressif.com +DIGICERT_ROOT_G2_CERT = """ +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH +MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI +2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx +1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ +q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz +tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ +vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV +5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY +1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 +NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG +Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 +8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe +pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl +MrY= +-----END CERTIFICATE----- +""" + +DL_CERT_DICT = {'dl.espressif.com': DIGICERT_ROOT_G2_CERT, + 'github.com': DIGICERT_ROOT_CA_CERT} + global_quiet = False global_non_interactive = False @@ -429,17 +458,15 @@ def download(url, destination): # type: (str, str) -> Optional[Exception] info(f'Downloading {url}') info(f'Destination: {destination}') try: - ctx = None - # For dl.espressif.com and github.com, add the DigiCert root certificate. - # This works around the issue with outdated certificate stores in some installations. - if 'dl.espressif.com' in url or 'github.com' in url: - try: + for site, cert in DL_CERT_DICT.items(): + # For dl.espressif.com and github.com, add the DigiCert root certificate. + # This works around the issue with outdated certificate stores in some installations. + if site in url: ctx = ssl.create_default_context() - ctx.load_verify_locations(cadata=DIGICERT_ROOT_CERT) - except AttributeError: - # no ssl.create_default_context or load_verify_locations cadata argument - # in Python <=2.7.8 - pass + ctx.load_verify_locations(cadata=cert) + break + else: + ctx = None urlretrieve_ctx(url, destination, report_progress if not global_non_interactive else None, context=ctx) sys.stdout.write('\rDone\n')