feat: keep backwards compatibility with SSL_CERT_FILE without requi…

…ring `--native-tls` (#2401) ## Summary Small follow up to #2362 to check if `SSL_CERT_FILE` is set to enable `--native-tls` functionality. This maintains backwards compatibility with `0.1.17` and below users leveraging only `SSL_CERT_FILE`. Closes #2400 ## Test Plan  Assuming `SSL_CERT_FILE` is already working via `--native-tls`, this is simply a shortcut to enable `--native-tls` functionality implicitly while still being able to let `rustls-native-certs` handle the loading of `SSL_CERT_FILE` instead of ourselves. Edit: Manually tested by setting up own self-signed CA certificate bundle and set `SSL_CERT_FILE` to this and confirmed the loading happens without having to specify `--native-tls`.
astral-sh · Mar 13, 2024 · e0ac5b4 · e0ac5b4
1 parent 99c992e
commit e0ac5b4
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -435,8 +435,8 @@ system's certificate store. To instruct uv to use the system's trust store, run
 `--native-tls` command-line flag.
 
 If a direct path to the certificate is required (e.g., in CI), set the `SSL_CERT_FILE` environment
-variable to the path of the certificate bundle (alongside the `--native-tls` flag), to instruct uv
-to use that file instead of the system's trust store.
+variable to the path of the certificate bundle, to instruct uv to use that file instead of the
+system's trust store.
 
 ## Acknowledgements
 

diff --git a/crates/uv-client/src/registry_client.rs b/crates/uv-client/src/registry_client.rs
@@ -23,6 +23,7 @@ use pep440_rs::Version;
 use pypi_types::{Metadata23, SimpleJson};
 use uv_auth::safe_copy_url_auth;
 use uv_cache::{Cache, CacheBucket, WheelCache};
+use uv_fs::Simplified;
 use uv_normalize::PackageName;
 use uv_version::version;
 use uv_warnings::warn_user_once;
@@ -119,8 +120,19 @@ impl RegistryClientBuilder {
 
         // Initialize the base client.
         let client = self.client.unwrap_or_else(|| {
+            // Check for the presence of an `SSL_CERT_FILE`.
+            let ssl_cert_file_exists = env::var_os("SSL_CERT_FILE").is_some_and(|path| {
+                let path_exists = Path::new(&path).exists();
+                if !path_exists {
+                    warn_user_once!(
+                        "Ignoring invalid `SSL_CERT_FILE`. File does not exist: {}.",
+                        path.simplified_display()
+                    );
+                }
+                path_exists
+            });
             // Load the TLS configuration.
-            let tls = tls::load(if self.native_tls {
+            let tls = tls::load(if self.native_tls || ssl_cert_file_exists {
                 Roots::Native
             } else {
                 Roots::Webpki