fix: Support self-signed SSL certs in macOS keychain (arm64) #3057
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dav1dde
approved these changes
Jan 5, 2026
Member
Author
|
Please hold off with reviews — gonna need to make some changes here to fix the tests (these are legit failures) |
szokeasaurusrex
force-pushed
the
szokeasaurusrex/macos-dynamic-curl
branch
from
4d539f0 to
b62ccd8
Compare
szokeasaurusrex
changed the base branch from
graphite-base/3057
to
szokeasaurusrex/transfer-encoding
Member
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
szokeasaurusrex
force-pushed
the
szokeasaurusrex/macos-dynamic-curl
branch
4 times, most recently
from
bff21b2 to
c3b2b78
Compare
szokeasaurusrex
changed the title
szokeasaurusrex
added a commit
that referenced
this pull request
Jan 7, 2026
### Description Stop sending transfer encoding header. This allows us to support HTTP/2, which disallows the transfer encoding header, thereby unblocking #3057. Supposedly this was added to support gzipped uploads, but we manually compress files before they reach the transport layer for chunked uploads. Also, per the curl docs, this header only indicates to the server that we would like a [compressed response](https://curl.se/libcurl/c/CURLOPT_TRANSFER_ENCODING.html). I am not sure that Sentry honors this header, or that it is relevant, given we don't really download large files from Sentry in the CLI.
szokeasaurusrex
force-pushed
the
szokeasaurusrex/transfer-encoding
branch
from
d0141fd to
8cad066
Compare
szokeasaurusrex
added a commit
that referenced
this pull request
Jan 7, 2026
### Description Fix a regression introduced with the `curl-sys` dependency bump in [2.56.1](https://github.com/getsentry/sentry-cli/releases/tag/2.56.1); the dependency removed support for Secure Transport in libcurl, switching the default to OpenSSL, which was statically linked via the `static-ssl` feature flag. This statically-linked version lacks support for reading trusted certificates from the macOS Keychain. In this PR, we swap the statically-linked curl (and statically linked OpenSSL) for dynamically linking libcurl on macOS only (keeping the statically linked libraries for other platforms). Since curl is built into macOS, introducing this runtime dependency hopefully will not break anyone. And, since the built-in libcurl does read certs from the macOS Keychain, this should fix the regression from version 2.56.1. ### Issues - Resolves #3054 - Resolves [CLI-256](https://linear.app/getsentry/issue/CLI-256/self-signed-certificate-problem-since-2561)
szokeasaurusrex
force-pushed
the
szokeasaurusrex/macos-dynamic-curl
branch
from
c3b2b78 to
41149eb
Compare
szokeasaurusrex
added a commit
that referenced
this pull request
Jan 7, 2026
### Description Fix a regression introduced with the `curl-sys` dependency bump in [2.56.1](https://github.com/getsentry/sentry-cli/releases/tag/2.56.1); the dependency removed support for Secure Transport in libcurl, switching the default to OpenSSL, which was statically linked via the `static-ssl` feature flag. This statically-linked version lacks support for reading trusted certificates from the macOS Keychain. In this PR, we swap the statically-linked curl (and statically linked OpenSSL) for dynamically linking libcurl on macOS only (keeping the statically linked libraries for other platforms). Since curl is built into macOS, introducing this runtime dependency hopefully will not break anyone. And, since the built-in libcurl does read certs from the macOS Keychain, this should fix the regression from version 2.56.1. ### Issues - Resolves #3054 - Resolves [CLI-256](https://linear.app/getsentry/issue/CLI-256/self-signed-certificate-problem-since-2561)
szokeasaurusrex
force-pushed
the
szokeasaurusrex/macos-dynamic-curl
branch
from
41149eb to
743078b
Compare
### Description Fix a regression introduced with the `curl-sys` dependency bump in [2.56.1](https://github.com/getsentry/sentry-cli/releases/tag/2.56.1); the dependency removed support for Secure Transport in libcurl, switching the default to OpenSSL, which was statically linked via the `static-ssl` feature flag. This statically-linked version lacks support for reading trusted certificates from the macOS Keychain. In this PR, we swap the statically-linked curl (and statically linked OpenSSL) for dynamically linking libcurl on macOS only (keeping the statically linked libraries for other platforms). Since curl is built into macOS, introducing this runtime dependency hopefully will not break anyone. And, since the built-in libcurl does read certs from the macOS Keychain, this should fix the regression from version 2.56.1. ### Issues - Resolves #3054 - Resolves [CLI-256](https://linear.app/getsentry/issue/CLI-256/self-signed-certificate-problem-since-2561)
szokeasaurusrex
force-pushed
the
szokeasaurusrex/macos-dynamic-curl
branch
from
743078b to
fec1491
Compare
szokeasaurusrex
requested review from
lcian and
vaind
and removed request for
vaind
lcian
approved these changes
Jan 7, 2026
szokeasaurusrex
added a commit
that referenced
this pull request
Jan 8, 2026
### Description Expand #3057 to Intel Macs. I have tested the binary built with this PR on an Intel Mac, and it appears to work. ### Issues - Resolves #3060 - Resolves [CLI-258](https://linear.app/getsentry/issue/CLI-258/fix-self-signed-cert-issue-on-intel-macs)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fix a regression introduced with the
curl-sysdependency bump in 2.56.1; the dependency removed support for Secure Transport in libcurl, switching the default to OpenSSL, which was statically linked via thestatic-sslfeature flag. This statically-linked version lacks support for reading trusted certificates from the macOS Keychain.In this PR, we swap the statically-linked curl (and statically linked OpenSSL) for dynamically linking libcurl on macOS only (keeping the statically linked libraries for other platforms). Since curl is built into macOS, introducing this runtime dependency hopefully will not break anyone. And, since the built-in libcurl does read certs from the macOS Keychain, this should fix the regression from version 2.56.1.
Note
This change only fixes the bug for ARM-based Macs. #3059 will expand this change to Intel-based Macs; we are waiting with that PR until we can properly test the binary on an Intel-based Mac.
Issues