Skip to content

improve ergonomics of CA certificates when cross compiling #9

Description

@Techatrix

When cross compiling, we cannot, by default, depend on the CA certificates provided by the host system because we need to guarantee a reproducible build that has no dependencies on the host system (hermetic builds).

Here is what can be done about it:

  • improve documentation so that upstream dependencies are aware of this issue. Curl has some useful docs on this
  • give an option to opt into always using the host system's CA certificates
  • give an option to opt into to built in certificates

Builtin certificates could, as an example, be sourced from https://curl.se/docs/caextract.html and fetched as a typical build system dependency. See https://codeberg.org/ziglang/zig/issues/32041 about fetching single file dependencies

AFAIK it is a non-goal for upstream curl to support runtime detection of certificates. It could be viable to fork upstream for this or at least provide some resources to upstream dependencies so that they can implement this on their side. std.crypto.Certificate.Bundle.rescan could be used as a reference.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions