The CLI currently uses reqwest with the rustls-tls feature, which bundles Mozilla's CA roots via webpki-roots. This means custom/internal CA
certificates are completely ignored at runtime. There's no way to configure them via SSL_CERT_FILE, system trust store, or any other mechanism.
This breaks the sign_and_verify step when pushing to a self-hosted registry (e.g. Forgejo) that uses a certificate signed by an internal CA. The
BuildKit push succeeds (BuildKit has its own registry TLS config), but BlueBuild's own HTTPS request to fetch the manifest fails.
The CLI currently uses reqwest with the rustls-tls feature, which bundles Mozilla's CA roots via webpki-roots. This means custom/internal CA
certificates are completely ignored at runtime. There's no way to configure them via SSL_CERT_FILE, system trust store, or any other mechanism.
This breaks the sign_and_verify step when pushing to a self-hosted registry (e.g. Forgejo) that uses a certificate signed by an internal CA. The
BuildKit push succeeds (BuildKit has its own registry TLS config), but BlueBuild's own HTTPS request to fetch the manifest fails.