vscode/proxy-agent uses untrusted certificates on macOS

[tmm1]

Does this issue occur when all extensions are disabled?: Yes

• VS Code Version: any
• OS Version: macOS

Steps to Reproduce:

on macOS, vscode/proxy-agent uses:

https://github.com/microsoft/vscode-proxy-agent/blob/ef240a475dd742e2ecfcb65b0a1722817aacce81/src/index.ts#L860-L862

async function readMacCaCertificates() {
	const stdout = await new Promise<string>((resolve, reject) => {
		const child = cp.spawn('/usr/bin/security', ['find-certificate', '-a', '-p']);

this returns all the certificates in the keychain, regardless of trust settings. by default, when installing a new cert on modern version of macOS, it is not trusted:

---

contrast this with the new --use-system-ca flag in nodejs v23, which looks at the individual trust settings of each imported cert:

https://github.com/nodejs/node/blob/25842c5e35efb45df169e591c775a3c4f853556d/src/crypto/crypto_context.cc#L367-L375

TrustStatus IsTrustSettingsTrustedForPolicy(CFArrayRef trust_settings,
                                            bool is_self_issued) {
  // The trust_settings parameter can return a valid but empty CFArrayRef.
  // This empty trust-settings array means “always trust this certificate”
  // with an overall trust setting for the certificate of
  // kSecTrustSettingsResultTrustRoot
  if (CFArrayGetCount(trust_settings) == 0) {
    return is_self_issued ? TrustStatus::TRUSTED : TrustStatus::UNSPECIFIED;
  }

[chrmarti]

It looks like security verify-cert can be used to check trust on each CAs.

[chrmarti]

Node.js 22.x is getting support for reading OS certificates on Windows and macOS: nodejs/node#57840