fix: keep OS trust store for native-tls System mode#6235
Merged
ruben-arts merged 5 commits intoMay 29, 2026
Conversation
Using `tls_certs_only` on the native-tls backend sets `disable_built_in_roots(true)`, which discards the OS trust evaluation and forces the chain the OS built to terminate at one of the certs snapshotted via `rustls_native_certs`. In corporate environments the OS trusts enterprise/proxy CAs that `rustls_native_certs` does not enumerate, so verification failed with "unable to find any user-specified roots in the final cert chain". `tls_certs_only` is correct for rustls (which has no OS-level trust) but wrong for native-tls. For native-tls `System` mode we now keep the OS trust store and only merge extra roots from `SSL_CERT_FILE`/`SSL_CERT_DIR`. https://claude.ai/code/session_01KgmnaNpU7eK8FNoXc8m2yd
Extract the native-tls root-cert decision into a pure `native_tls_trust` mapping so the prefix-dev#6229 regression is unit-testable (reqwest's builder is opaque about disable_built_in_roots). Assert System / LegacyNative / All keep the OS trust store and only Webpki replaces it. https://claude.ai/code/session_01KgmnaNpU7eK8FNoXc8m2yd
Remove the NativeTlsTrust enum, native_tls_trust mapping, and its unit tests. reqwest's builder is opaque so the mapping test added little; uv ships no cert tests either. Inline the native-tls root logic and tighten the comments. https://claude.ai/code/session_01KgmnaNpU7eK8FNoXc8m2yd
The import is only used inside the native-tls/rustls cfg blocks, so it triggered an unused-import error when pixi_utils is built without either feature (e.g. the docs generator). https://claude.ai/code/session_01KgmnaNpU7eK8FNoXc8m2yd
ruben-arts
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes certificate validation failures introduced in 0.68.1 for users on
native-tlsbuilds in corporate environments (custom proxy or enterprise CAs). Such setups were failing with "unable to find any user-specified roots in the final cert chain" when resolving PyPI and conda dependencies.With this change,
native-tlsbuilds again trust the operating system's certificate store by default, so enterprise and proxy CAs that the OS already trusts work without extra configuration. Custom certificates fromSSL_CERT_FILE/SSL_CERT_DIRcontinue to be honored on top of the OS store.Fixes #6229
How Has This Been Tested?
Verified that both the
native-tlsand defaultrustlsbuilds compile.A reporter on a Windows corporate network with a custom
native-tlsbuild should confirm thatpixican again resolve PyPI dependencies (e.g.pixi lock) without certificate errors.AI Disclosure
Tools: Claude
Checklist: