feat: allow loading of native certificate store #5013
+4,285
−20
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
baszalmstra
reviewed
Dec 1, 2025
Contributor
baszalmstra
left a comment
baszalmstra
left a comment
There was a problem hiding this comment.
Nice, how do we deal with this on conda-forge where we use nativetls instead?
Contributor
Author
Hmm maybe we should remove it for those builds, as this config does not make sense. Wdyt? |
Contributor
|
maybe we could have a config called |
Co-authored-by: Bas Zalmstra <[email protected]>
Contributor
Author
|
Excellent suggestion!
…On Mon, Dec 1, 2025 at 10:51 AM Bas Zalmstra ***@***.***> wrote:
*baszalmstra* left a comment (prefix-dev/pixi#5013)
<#5013 (comment)>
maybe we could have a config called tls-certs which is webpki or native.
And we have different defaults based on the selected feature?
—
Reply to this email directly, view it on GitHub
<#5013 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADF4XU7TYND3OFWR3O2C4T37QFQZAVCNFSM6AAAAACNU3W7P2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKOJVGU4TAMZYG4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Contributor
Author
I implemented a version of this @baszalmstra but an open question still remains :) |
baszalmstra
reviewed
Dec 2, 2025
| #[serde(rename_all = "lowercase")] | ||
| pub enum TlsRootCerts { | ||
| /// Use bundled Mozilla root certificates | ||
| #[default] |
Contributor
There was a problem hiding this comment.
This default depends on which backend is selected through features.
Contributor
Author
There was a problem hiding this comment.
Well the config just doesn't do anything because there is not really an option to select it for native-tls, like the methods to select webkpi are compiled out. So the config is only there in both compilation features as to not break on your config when you switch.
Contributor
Makes sense to me, we can always change this later. |
|
OP here. I ran |
Contributor
Author
Would you be able to check if with the version of pixi compiled from this branch you are able to reach your index? :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
uv allows loading of the system certificate instead of the ones provided by default for rustls. This changes the code to have a
native_certsconfiguration option (global) and CLI options so that one can opt-in to the system store. This all still uses rustls under the hood. This was apparently a much-requested feature for uv. Luckily we can just change the client construction implementation and enable this for both conda and PyPI network requests.I used a different name and construction and deviated from uv here, because we have different requirements. We have both native-tls (conda-forge) builds, and non-native tls. So I added the option for the use to be able to choose, what root certificates to load. For example, when running
pixi install --help, you get:There is also a corresponding
pixi_configglobal setting. That can be set if need be.By default the rustls version uses only "webpki", and the native-tls uses the system store, for rustls you can use "webpki", "native" or "all". For the native-tls version the methods,
tls_built_in_webpki_certsandtls_built_in_native_certsshould not be available, i.e. these are only available for rustls. So we give a warning in this case that these options will be ignored. See: https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.tls_built_in_webpki_certsHowever, and this is a question for @baszalmstra, I feel these will actually be available on our
native-tlsbuild; because ofuvensuring that both features are enabled, as they support only rustls and in the case of a conda-forge build, both features will be on. Not sure what do here but opted to go for the "most correct" approach. wdyt?Fixes #4896
How Has This Been Tested?
I have a script made in
scripts/test_native_cert.pyand corresponding pixi tasks to check if this works. Runpixi r build-releaseandpixi run test-native-certsto verify. This sets up a PyPI registry ngnix docker with a generated CA we add this to the system store to see if we can connect with it.Maybe the OP of the issue could give it a go as well.
AI Disclosure
Tools: Claude Opus 4.5
Checklist:
schema/model.py.