cargo-pgrx: use system certificate store for HTTPS validation #2074
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
thanks! @charmitro , I will try it from my end |
|
From my testing, it worked. I tried the installation with and without the option My OS is Ubuntu24.04.2, rust version is Thanks for the fix @charmitro ! |
Contributor
Author
Perfect!
Not a problem, it's up to the maintainers now I guess. |
eeeebbbbrrrr
approved these changes
May 19, 2025
Use `platform-verifier` feature of ureq to validate TLS certificates
against the system's certificate store instead of bundled Mozilla
certificates. This allows cargo-pgrx to work properly with corporate
proxies (both explicit and transparent) that use custom certificate
authorities for SSL inspection.
Previously, cargo-pgrx would fail with:
Error:
0: unable to retrieve https://www.postgresql.org/versions.rss
1: io: invalid peer certificate: UnknownIssuer
when used behind corporate proxies, as it could not validate
certificates signed by corporate CAs. By using the system's trusted
certificate store, we can properly validate these certificates if they
are trusted by the host OS.
Signed-off-by: Charalampos Mitrodimas <[email protected]>
charmitro
force-pushed
the
system-certificate-store-for-https
branch
from
20123f8 to
cd0e1d8
Compare
Contributor
Author
|
CI issue should be fixed now. Can we re-run the CI? |
Contributor
Yup. Thanks for the PR. Corporate networks are such a pain and basically impossible for the rest of us to even test/predict. |
Contributor
Author
Exactly, that's why I asked @tumluliu to test it, for which I'm thankful! |
eeeebbbbrrrr
approved these changes
May 19, 2025
Contributor
|
Thanks for your work. Merging this now. I will probably get another pgrx release out this week, so y'all hang tight. |
KenjiBrown
pushed a commit
to SoftwareLibreMx/pgrx
that referenced
this pull request
May 27, 2025
…ralfoundation#2074) Use `platform-verifier` feature of `ureq` to validate TLS certificates against the system's certificate store instead of bundled Mozilla certificates. This allows cargo-pgrx to work properly with corporate proxies (both explicit and transparent) that use custom certificate authorities for SSL inspection. Signed-off-by: Charalampos Mitrodimas <[email protected]>
eeeebbbbrrrr
added a commit
that referenced
this pull request
Jun 28, 2025
Welcome to pgrx v0.15.0. This begins a new series for pgrx that includes support for Postgres 18. As of this release, that means Postgres 18beta1. This release does contain a few breaking API changes but they're largely mechanical. Don't worry, the compiler will let you know! As always, please install our CI tool with `cargo install cargo-pgrx --version 0.15.0 --locked` and then run `cargo pgrx upgrade` in all of your extension crates. If you want to start working with Postgres 18beta1, you'll also need to re-init your pgrx environment with `cargo pgrx init`. That will automatically detect all the latest Postgres versions, including 18beta1. At the top here, I'd like to thank @silver-ymz for the 18beta1 support. It was a pleasant surprise to see that work come from the community -- it's no easy task to add a new Postgres version to pgrx! That said, as Postgres 18 is currently beta, you should consider pgrx' support for it as beta too. Please report any problems with 18beta1 (or discrepancies with other versions) as GitHub issues. Also, this release requires rust v1.88.0 or greater. `if-let` chains are now a thing and we're not afraid to use them. # What's Changed ## Postgres 18beta1 Support * Support Postgres 18beta1 by @silver-ymz in #2056 * pg18 support: add header and implement `#define` by @eeeebbbbrrrr in #2094 * improve pg_magic_func by @usamoi in #2088 ## More Headers * Added `catalog/heap.h` binding by @ccleve in #2072 * include `utils/pg_status.h` by @eeeebbbbrrrr in #2091 ## `cargo-pgrx` improvements * Pass `LLVM_*` variables to `--runas` command by @theory in #2083 * `does_db_exist()`: fix `psql` argument order by @eeeebbbbrrrr in #2093 * `cargo pgrx regress` output is no longer fully buffered by @eeeebbbbrrrr in #2095 * Detect `pgrx_embed` name from lib name by @YohDeadfall in #2035 * Fixed error message if no artifact found by @YohDeadfall in #2034 * `cargo-pgrx`: use system certificate store for HTTPS validation by @charmitro in #2074 * Decoding command output in Windows by @if0ne in #2084 ## Breaking Changes * fix GUC by @usamoi in #2064 * refactor GUC by @usamoi in #2066 ## New Stuff * Added `pg_binary_protocol` attribute to derive send and receive functions for `PostgresType` by @LucaCappelletti94 in #2068 * Expose guc hooks by @thesuhas in #2075 * Allows to create multiple aggregates for the same Rust type by @if0ne in #2078 ## General Code Cleanup * `cargo clippy --fix` by @eeeebbbbrrrr in #2092 * Use `if-let` to unpack Options by @stuhood in #2089 * docs: fix typo in `rust_byte_slice_to_bytea()` docs by @burmecia in #2071 * Added a missing `#[doc(hidden)]` by @LucaCappelletti94 in #2079 ## Administrative * Updated Fedora to latest in CI by @YohDeadfall in #2085 * fix ci on beta rust (1.89) by @usamoi in #2087 ## New Contributors Much thanks to our new contributors! Your work is sincerely appreciated! * @charmitro made their first contribution in #2074 * @thesuhas made their first contribution in #2075 * @if0ne made their first contribution in #2084 * @stuhood made their first contribution in #2089 **Full Changelog**: v0.14.3...v0.15.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use
platform-verifierfeature of ureq to validate TLS certificates against the system's certificate store instead of bundled Mozilla certificates. This allows cargo-pgrx to work properly with corporate proxies (both explicit and transparent) that use custom certificate authorities for SSL inspection.Previously, cargo-pgrx would fail with:
when used behind corporate proxies, as it could not validate certificates signed by corporate CAs. By using the system's trusted certificate store, we can properly validate these certificates if they are trusted by the host OS.
Closes #2047