SyncplayClient: explicitly pass `certifi` as trustRoot for Twisted

- py2app: include pem in the bundle
- requirements: add pem
- SyncplayClient.start: explicitly use certifi store as trustRoot

buildPy2app.py

@@ -17,7 +17,7 @@ DATA_FILES = [
 OPTIONS = {
     'iconfile': 'syncplay/resources/icon.icns',
     'extra_scripts': 'syncplayServer.py',
-    'includes': {'PySide2.QtCore', 'PySide2.QtUiTools', 'PySide2.QtGui', 'PySide2.QtWidgets', 'certifi', 'cffi'},
+    'includes': {'PySide2.QtCore', 'PySide2.QtUiTools', 'PySide2.QtGui', 'PySide2.QtWidgets', 'certifi', 'cffi', 'pem'},
     'excludes': {'PySide', 'PySide.QtCore', 'PySide.QtUiTools', 'PySide.QtGui', 'tkinter'},
     'qt_plugins': [
         'platforms/libqcocoa.dylib',

requirements.txt

@@ -1,4 +1,5 @@
 certifi>=2018.11.29
+pem>=21.2.0
 twisted[tls]>=16.4.0
 appnope>=0.1.0; sys_platform == 'darwin'
 pypiwin32>=223; sys_platform == 'win32'

syncplay/client.py

@@ -19,11 +19,13 @@ from twisted.internet.protocol import ClientFactory
 from twisted.internet import reactor, task, defer, threads
 
 try:
+    SSL_CERT_FILE = None
     import certifi
-    from twisted.internet.ssl import Certificate, optionsForClientTLS
+    import pem
+    from twisted.internet.ssl import Certificate, optionsForClientTLS, trustRootFromCertificates
     certPath = certifi.where()
     if os.path.exists(certPath):
-        os.environ['SSL_CERT_FILE'] = certPath
+        SSL_CERT_FILE = certPath
     elif 'zip' in certPath:
         import tempfile
         import zipfile
@@ -32,7 +34,7 @@ try:
         archive = zipfile.ZipFile(zipPath, 'r')
         tmpDir = tempfile.gettempdir()
         extractedPath = archive.extract(memberPath, tmpDir)
-        os.environ['SSL_CERT_FILE'] = extractedPath
+        SSL_CERT_FILE = extractedPath
 except:
     pass
 
@@ -831,10 +833,9 @@ class SyncplayClient(object):
         port = int(port)
         self._endpoint = HostnameEndpoint(reactor, host, port)
         try:
-            caCertFP = open(os.environ['SSL_CERT_FILE'])
+            certs = pem.parse_file(SSL_CERT_FILE)
-            caCertTwisted = Certificate.loadPEM(caCertFP.read().encode('utf-8'))
+            trustRoot = trustRootFromCertificates([Certificate.loadPEM(str(cert)) for cert in certs])
-            caCertFP.close()
+            self.protocolFactory.options = optionsForClientTLS(hostname=host, trustRoot=trustRoot)
-            self.protocolFactory.options = optionsForClientTLS(hostname=host)
             self._clientSupportsTLS = True
         except Exception as e:
             self.ui.showDebugMessage(str(e))