sethmlarson
commented
2 years ago Thanks for making us aware of this initiative and adding us to the list. We're going to continue using native Python code for truststore for now so we can be used as a dependency of pip.
Hi Seth,
Thank you for your work on this - all of us who are using local HTTPS proxies, or who are working in corporate environments with TLS inspection, or have otherwise had to confront the 'certificate verify failed' error, are immensely grateful for it.
I'm working with @bnoordhuis on a Node version of this (https://github.com/bnoordhuis/node-native-certs), which takes the approach of using the Rust rustls-native-certs library to do the hard work. This also means we don't have to touch C for the native parts of the module - our glue code is all Rust - which makes cross platform packaging a lot easier. If you're interested, I have put together a little prototype of what using rustls-native-certs from Python could look like.
Secondly, with your work in Python, our work in Node, and the Rust team's foundational work on this in Rust, it's now clear that a pattern is emerging. People are waking up to the idea that even if a language is cross-platform, it should still be a good citizen of each platform, and get its certificates from the native trust store. To this end I've started making a list of languages and CLI tools which have native trust store integration here: https://native-certs.github.io. (Naturally
truststoreis featured in that list.) If you know of any others that I haven't thought of yet, please let me know!