libtailscale,android: use ExtraRootCAs for user-installed CA certific…#775
Conversation
LoganRupe
force-pushed
the
android-extraroots-ca-certs
branch
from
238f429 to
faa9712
Compare
|
@LoganRupe, go ahead and rebase this PR against the new go.mod and amend the commit (squash down into one commit). Thanks! |
…ates Bridge user-installed Android CA certificates to Go's TLS stack using the in-memory ExtraRootCAs cert pool on tsd.System. Depends on tailscale/tailscale#19280. Fixes tailscale/tailscale#8085 Signed-off-by: Logan Rupe <[email protected]>
LoganRupe
force-pushed
the
android-extraroots-ca-certs
branch
from
faa9712 to
cc36444
Compare
done. |
|
CI failed because Go 1.26.2 isn't available on the download server yet. Should pass on re-run once it's published |
|
Hm, this repo is supposed to only be using our https://github.com/tailscale/go/ but I guess something bitrot and it's trying to use official upstream binaries. |
Makes sense — the go 1.26.2 directive is satisfied by the custom toolchain locally via go, but the CI's actions/setup-go step is hitting the upstream download server. Not something from my change, happy to help fix the workflow if needed. |
|
The go 1.26.1 → 1.26.2 bump in go.mod triggered this — actions/setup-go tries to fetch official upstream Go but 1.26.2 only exists in tailscale/go. The actual check step already uses go so the setup-go step could be removed or pointed at the fork. Happy to fix the workflow in this PR or a follow-up if you'd prefer. |
2 participants
Replaces #757 with a cleaner in-memory approach. Instead of writing user-installed CA certs to disk and setting SSL_CERT_DIR, read them from the Android KeyStore via GetUserCACertsPEM(), parse into an *x509.CertPool, and assign to sys.ExtraRootCAs on tsd.System.
Depends on tailscale/tailscale#19280 landing first — go.mod will need a bump to a commit that includes it.
Closes #757
Updates tailscale/tailscale#8085