Add a system-certs-default preview feature#18702
Draft
zanieb wants to merge 11 commits intoastral-sh:mainfrom
Draft
Add a system-certs-default preview feature#18702zanieb wants to merge 11 commits intoastral-sh:mainfrom
system-certs-default preview feature#18702zanieb wants to merge 11 commits intoastral-sh:mainfrom
Conversation
… by default When the `system-certs-default` preview feature is enabled, uv defaults to using system certificates instead of the bundled Mozilla webpki roots. Explicit CLI flags (`--system-certs` / `--no-system-certs`) and environment variables still take precedence over the preview default. https://claude.ai/code/session_01QswG8dVGPRf8iHMWnmYa11
On Linux, rustls-native-certs and openssl-probe discover the system CA bundle, but it may be absent in minimal environments (e.g., scratch containers). When system-certs is enabled, merge the bundled Mozilla roots as extra roots alongside the platform verifier via reqwest's tls_certs_merge(), which calls Verifier::new_with_extra_roots under the hood. This ensures basic connectivity even when the system certificate store is unavailable. https://claude.ai/code/session_01QswG8dVGPRf8iHMWnmYa11
On macOS and Windows, the platform verifier has a built-in trust store that always works, so merging extra roots is unnecessary and could bypass enterprise CA policies. On Linux, the platform verifier falls back to rustls-native-certs/openssl-probe which read PEM files from disk — these may be absent in minimal containers. Only merge the bundled Mozilla roots on Linux where the fallback is actually needed. https://claude.ai/code/session_01QswG8dVGPRf8iHMWnmYa11
… feature Update certificates.md to describe the Linux-specific behavior where bundled Mozilla roots are merged alongside the platform verifier when the system CA bundle is absent. Add system-certs-default to the list of available preview features in preview.md. https://claude.ai/code/session_01QswG8dVGPRf8iHMWnmYa11
Link to the upstream recommendation to augment system certs with webpki-roots via Verifier::new_with_extra_roots on Linux. https://claude.ai/code/session_01QswG8dVGPRf8iHMWnmYa11
Remove the `preview` field from `BaseClientBuilder` and `AuthMiddleware`, and the `Preview` parameter from S3/GCS endpoint provider functions. All preview feature checks now use the global `uv_preview::is_enabled()` accessor, which was initialized at startup. This removes `uv-preview` as a dependency of `uv-client` entirely. https://claude.ai/code/session_01QswG8dVGPRf8iHMWnmYa11
The commit f335a19 changed AuthMiddleware to use the global uv_preview::is_enabled() instead of threading a Preview value. However, the middleware unit tests never initialized the global preview state, causing panics ('The preview configuration has not been initialized') on all platforms. Fix by adding uv-preview with the 'testing' feature to dev-dependencies and calling uv_preview::test::with_features(&[]) in each test.
Same issue as the uv-auth middleware tests: the tests use RegistryClientBuilder which internally creates an AuthMiddleware that now calls uv_preview::is_enabled().
Add the same `#[cfg_attr(windows, ignore)]` attribute that all other show_settings configuration tests use, since the snapshot format for SystemTime and cache paths differs on Windows.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.