Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add: additional key path for macos #28

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add: additional key path for macos #28

wants to merge 2 commits into from

Conversation

ajbt200128
Copy link

On MacOS it's normal[1] to add custom certificates to /Library/Keychains/System.keychain in addition to /System/Library/Keychains/SystemRootCertificates.keychain. This PR now checks both locations and concatenates them

[1] https://apple.stackexchange.com/questions/53579/how-is-the-system-keychain-secured-in-os-x

hannesm
hannesm reviewed May 31, 2024
View reviewed changes
lib/ca_certs.ml Outdated Show resolved Hide resolved
hannesm
hannesm reviewed May 31, 2024
View reviewed changes
lib/ca_certs.ml Outdated Show resolved Hide resolved
@hannesm
Copy link
Member

hannesm commented May 31, 2024

Thanks for your contribution, I had some minor remarks. Would be great to address them, then I can merge and cut a release.

ajbt200128 and others added 2 commits August 5, 2024 16:26
@ajbt200128 @hannesm
add: additional key path for macos
9c957ad 
On MacOS it's normal[1] to add custom certificates to
`/Library/Keychains/System.keychain` in addition to
`/System/Library/Keychains/SystemRootCertificates.keychain`. This PR now
checks both locations and concatenates them

[1] https://apple.stackexchange.com/questions/53579/how-is-the-system-keychain-secured-in-os-x
@hannesm
minor adjustments
053648f
@hannesm hannesm force-pushed the austin/add-macos-path branch from 202997c to 053648f Compare August 5, 2024 14:36
@hannesm
Copy link
Member

hannesm commented Aug 5, 2024

I took the liberty to rebase to main and update the code as reviewed.

@hannesm
Copy link
Member

hannesm commented Aug 5, 2024

The remaining question I have is: from your linked stackoverflow article, "The System Keychain, /Library/Keychains/System.keychain, is a special Keychain for Apple and daemons to use. You should generally avoid using it for user level scripts."

So, are you sure that path should be added by default to the root certificates / trust anchors? Is there some authoritative documentation (from Apple) suggesting this? I'm not sure I follow your changes, and think that #20 is related -- so anyone with a macOS machine and some binding experience, it would be great to use the macOS API instead of security find-certificate

@ajbt200128
Copy link
Author

I dug around and couldn't find anything on what to do with ssl certificates specifically, it looks like there is a per-user keychain though, so we could try using that one w/the apple API. But in general all of the programs I've used that require self signed certs (i.e proxies) usually ask users to use the system keychain

@hannesm
Copy link
Member

hannesm commented Aug 7, 2024

Thanks for your research. When you say "all of the programs I've used that require self signed certs (i.e proxies) usually ask users to use the system keychain", are those being installed into /System/Library/Keychains/SystemRootCertificates.keychain?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hannesm hannesm hannesm left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ajbt200128 @hannesm