-
-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add "native-certs" feature flag #944
base: main
Are you sure you want to change the base?
Conversation
This feature flag enables the "native-certs" feature from tame-index which enables the use of the host OS certificate store with reqwest.
Thanks for the PR! A couple of questions for you:
Does this mean it only works with the Also, is there a good way to add some tests to ensure this feature continues to work correctly in the future? I'm afraid I'm not familiar with the details of OS certificate stores, so I'd like to proactively minimize the risk of something breaking down the line in a way that I as the maintainer would be on the hook to fix. |
Hmm so looking at it a bit more, it's pretty complicated. Let me see if I can explain whats going on. I can't guarantee that all of this information is 100% accurate, but it is my understanding of the situation. I'm not sure what your familiarity level is with TLS certificates, but basically when making an https request, you'll likely have some number of root certificates locally that are used to validate the remote server's TLS certificate. The default behavior with browsers and things like wget/curl (which typically use openssl on linux for example) is to use the root certificates installed on the host OS. A lot of the rust ecosystem however uses And now on the specifics here.
The existing feature flag for So the change I did, really only affects the An additional complication though is that even if you do I'm happy to update the comment on the feature to try to describe this since it is complicated. I could also rename the feature to Regarding tests, I'm sure there is some way to do that, but I suspect it would be complicated. I haven't looked deeply at how this project handles tests, but you would likely need a registry behind an http server with a self signed certificate and then have a container which with the self signed certificate installed to prove that it can talk to it. I'm not even sure if this is possible given that there's no third party registry support (though you could do it at the Sorry for the long comment, but let me know what you would like me to do with this or if you have any other questions |
Thanks for the detailed comment, I appreciate it! Any chance you might be up for chatting about the two PRs over a video call one of these days? I'd love to learn more about your use cases and figure out how |
Yep. Happy to. Shoot me an email and we can coordinate on timing. |
This feature flag enables the "native-certs" feature from tame-index which enables the use of the host OS certificate store with reqwest. I'm separately working on a PR to support third party registries. This feature flag is needed to support third party registries on some corporate networks.