Skip to content

Support system CA certificates for self-hosted registries #808

Description

@Rolix44

The CLI currently uses reqwest with the rustls-tls feature, which bundles Mozilla's CA roots via webpki-roots. This means custom/internal CA
certificates are completely ignored at runtime. There's no way to configure them via SSL_CERT_FILE, system trust store, or any other mechanism.

This breaks the sign_and_verify step when pushing to a self-hosted registry (e.g. Forgejo) that uses a certificate signed by an internal CA. The
BuildKit push succeeds (BuildKit has its own registry TLS config), but BlueBuild's own HTTPS request to fetch the manifest fails.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions