When cross compiling, we cannot, by default, depend on the CA certificates provided by the host system because we need to guarantee a reproducible build that has no dependencies on the host system (hermetic builds).
Here is what can be done about it:
- improve documentation so that upstream dependencies are aware of this issue. Curl has some useful docs on this
- give an option to opt into always using the host system's CA certificates
- give an option to opt into to built in certificates
Builtin certificates could, as an example, be sourced from https://curl.se/docs/caextract.html and fetched as a typical build system dependency. See https://codeberg.org/ziglang/zig/issues/32041 about fetching single file dependencies
AFAIK it is a non-goal for upstream curl to support runtime detection of certificates. It could be viable to fork upstream for this or at least provide some resources to upstream dependencies so that they can implement this on their side. std.crypto.Certificate.Bundle.rescan could be used as a reference.
When cross compiling, we cannot, by default, depend on the CA certificates provided by the host system because we need to guarantee a reproducible build that has no dependencies on the host system (hermetic builds).
Here is what can be done about it:
Builtin certificates could, as an example, be sourced from https://curl.se/docs/caextract.html and fetched as a typical build system dependency. See https://codeberg.org/ziglang/zig/issues/32041 about fetching single file dependencies
AFAIK it is a non-goal for upstream curl to support runtime detection of certificates. It could be viable to fork upstream for this or at least provide some resources to upstream dependencies so that they can implement this on their side.
std.crypto.Certificate.Bundle.rescancould be used as a reference.