Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: if system keychain has a cert with an empty but valid trust settings array, cert should be trusted but Go does not trust it #27958
The OS X-specific code for finding system trusted roots has a bug. The code that is assessing each certificate configured in the keychain defaults all flags to zero here. Later, if the resulting trust settings array is empty, the code will fail to change any of the flags, here. If they are all unset, it ends up putting the cert into the "untrusted" section here.
However, in the Apple documentation, it explicitly states that if a given trust settings array is valid but empty, that it means "always trust this cert":
The fix is to simply set
What version of Go are you using (