From d4e525ce0b6f27801763e01d2e16e7664d25e426 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81quila=20Freitas?= Date: Sat, 7 Feb 2026 15:14:20 +0000 Subject: [PATCH] worker-build/Cargo.toml -- Adds the "native-tls" feature to the ureq dependency, enabling macOS SecureTransport (and platform-native TLS on other OSes). worker-build/src/binary.rs -- Replaces the default ureq::get(url) call (which uses rustls with a static webpki-roots CA bundle) with a custom Agent configured to use TlsProvider::NativeTls + RootCerts::PlatformVerifier. This delegates certificate verification to the OS, which trusts any CAs in the system keychain -- including corporate proxy CAs like Netskope. --- worker-build/Cargo.toml | 2 +- worker-build/src/binary.rs | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/worker-build/Cargo.toml b/worker-build/Cargo.toml index 263835dd..c85fd09c 100644 --- a/worker-build/Cargo.toml +++ b/worker-build/Cargo.toml @@ -29,7 +29,7 @@ serde_json = "1.0.143" strsim = "0.11.1" tar = "0.4" toml = "0.9.5" -ureq = { version = "3.1", features = ["gzip", "json"] } +ureq = { version = "3.1", features = ["gzip", "json", "native-tls"] } which = "8.0.0" worker-codegen.workspace = true diff --git a/worker-build/src/binary.rs b/worker-build/src/binary.rs index fa15cd2e..bdd2e901 100644 --- a/worker-build/src/binary.rs +++ b/worker-build/src/binary.rs @@ -138,7 +138,17 @@ fn fix_permissions(options: &mut OpenOptions) -> &mut OpenOptions { /// Download this binary instance into its cache path fn download(url: &str, bin_dir: &Path) -> Result<()> { - let mut res = ureq::get(url) + let agent = ureq::Agent::config_builder() + .tls_config( + ureq::tls::TlsConfig::builder() + .provider(ureq::tls::TlsProvider::NativeTls) + .root_certs(ureq::tls::RootCerts::PlatformVerifier) + .build(), + ) + .build() + .new_agent(); + let mut res = agent + .get(url) .call() .with_context(|| format!("Failed to fetch URL {url}"))?; let body = res.body_mut().as_reader();