Manually load system root certificates on macOS/Linux

asher-pem-arm · Luke Beardsmore · asher-pem-arm · commit 474dfb91ddaf · 2026-06-03T17:45:04.000+01:00
Signed-off-by: Asher Pemberton &lt;asher.pemberton@arm.com&gt;
Reviewed-by: Asher Pemberton &lt;asher.pemberton@arm.com&gt; # gatekeeper
Co-authored-by: Luke Beardsmore &lt;luke.beardsmore2@arm.com&gt;
diff --git a/labgrid/remote/common.py b/labgrid/remote/common.py
@@ -1,4 +1,6 @@
 import asyncio
+import platform
+import subprocess
 import time
 import enum
 import random
@@ -60,15 +62,57 @@ def build_dict_from_map(m):
     return d
 
 
+def _fetch_root_certificates_darwin():
+    try:
+        p = subprocess.run(
+            ["security", "find-certificate", "-a", "-p"],
+            capture_output=True,
+            timeout=10,
+        )
+        if p.returncode != 0 or not p.stdout:
+            return None
+        return p.stdout
+    except Exception:
+        logging.exception("unexpected error when fetching certificates from macOS Keychain")
+
+    return None
+
+
+def _fetch_root_certificates_linux():
+    ca_bundle_path = "/etc/ssl/certs/ca-certificates.crt"
+    try:
+        # TODO: Current supports Debian/Ubuntu. Extend to support other distributions.
+        with open(ca_bundle_path, "rb") as f:
+            certs = f.read()
+        if certs:
+            return certs
+    except OSError as e:
+        logging.warning("failed to read CA bundle at %s: %s", ca_bundle_path, e)
+    except Exception:
+        logging.exception("unexpected error while reading ca certificates")
+
+    return None
+
+
+def _fetch_root_certificates():
+    if platform.system() == "Darwin":
+        return _fetch_root_certificates_darwin()
+
+    if platform.system() == "Linux":
+        return _fetch_root_certificates_linux()
+
+    return None
+
+
 def get_client_credentials(args: Namespace) -> Optional[grpc.ChannelCredentials]:
     if not args.secure:
         return None
 
     if not args.cert:
-        return grpc.ssl_channel_credentials()
+        return grpc.ssl_channel_credentials(root_certificates=_fetch_root_certificates())
 
     with open(args.cert, "rb") as fc:
-        return grpc.ssl_channel_credentials(fc.read())
+        return grpc.ssl_channel_credentials(root_certificates=fc.read())
 
 
 @attr.s(eq=False)
