Zig only reads CA Certificates from SystemRootCertificates.keychain and not from System.keychain

[dreilly1982]

Zig Version

0.14.0-dev.2989+bf6ee7cb3

Steps to Reproduce and Observed Behavior

run zig fetch <url> returns error: unable to connect to server: TlsInitializationFailed this is due to a TLS intercept using a coporate signed TLS certificate.

Expected Behavior

I am very sure that this was intended as written, however many organizations use TLS intercept on their devices. Allowing to read certificates from both /System/Library/Keychains/SystemRootCertificates.keychain as well as /Library/Keychains/System.keychain would allow trusted intercept certificates to be installed in the System keychain, and still be trusted for actions such as "zig build fetch".

[dreilly1982]

I only mentioned zig fetch in the initial issue as this is where I found the issue, and the fetch command doesn't currently have any apparent way to pass the arguments to ignore TLS verification. This is a show stopper for anyone using Zig on machines where their traffic is forced through intercept proxies on MacOS.

[Ugenx]

Just ran into this issue myself. Found #15681 which seems like the correct way to address this situation.

[dreilly1982]

Thank you for referencing that, it had not come up in my search through issues. The approach I went with in my PR was to also look in System.keychain for valid trusted certs. My thought is if it is in System.keychain then at least an administrator on the system installed it. This could be easily expanded to user keychains, and I feel that would be the appropriate way to add trusted certificates on MacOS. As for an ignore TLS flag, it looks simple enough to implement, but that wasn't my intent in this particular issue.