feat(bundler/cli): Add feature flag to use system certificates

[FabianLars]

opening this so i don't forget about it (i doubt that can happen since lately i get at least one report per week about this).

one question though, should we enable this by default or put it behind an env var or cli flag?

[github-actions]

Package Changes Through a691fd7

There are 9 changes which include tauri-cli with minor, @tauri-apps/cli with minor, tauri-utils with minor, tauri-bundler with minor, tauri-macos-sign with minor, tauri-runtime-wry with patch, tauri with minor, @tauri-apps/api with minor, tauri-plugin with minor

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package	current	next
@tauri-apps/api	2.7.0	2.8.0
tauri-utils	2.6.0	2.7.0
tauri-macos-sign	2.1.0	2.2.0
tauri-bundler	2.5.2	2.6.0
tauri-runtime	2.7.1	2.7.2
tauri-runtime-wry	2.7.2	2.7.3
tauri-codegen	2.3.1	2.3.2
tauri-macros	2.3.2	2.3.3
tauri-plugin	2.3.1	2.4.0
tauri-build	2.3.1	2.3.2
tauri	2.7.0	2.8.0
@tauri-apps/cli	2.7.1	2.8.0
tauri-cli	2.7.1	2.8.0

Add another change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector

[FabianLars]

#13358 is also veryyy loosely related

[Legend-Master]

I'm kinda new to this, what's the reason for us to use webpki-roots + rustls instead of native-tls + rustls-platform-verifier here originally?

[FabianLars]

native-tls kinda sucks (iirc for us it was mostly about cross comp) - i think the ecosystem is also moving away from it (or at least considering it) eg seanmonstar/reqwest#2723

and platform verifier just never was on our minds before / back then 🤷

[FabianLars]

i also don't mind adding it directly but since i don't have any experience with it i thought that's a opt-out would be nice. On the other hand if it were to cause issues we'd release a hotfix that disables it for everyone so idk if the flag really makes sense.

[Legend-Master]

I see, thanks for the explanation and the link

So from my understanding, outside of the cross compilation staffs (we don't cross compile our cli right?), the OS implementation of TLS might be flawed from the discussions under
seanmonstar/reqwest#2025 (comment) ?

I feel like the flag probably doesn't help since that only works if they install the cli through cargo, maybe we could just do it and see if it actually breaks anything

rustls-platform-verifier + rustls seems to be the best option here for an app, the only downside seems to be some Linux distros don't manage the system certificates well?

rust-lang/rustup#3400 (comment)

[FabianLars]

the OS implementation of TLS might be flawed from the discussions under
seanmonstar/reqwest#2025 (comment) ?

guess so? idk, i didn't look that much into it and it was quite some time ago. it just didn't work (well) for us 🤷

I feel like the flag probably doesn't help since that only works if they install the cli through cargo, maybe we could just do it and see if it actually breaks anything

i meant to enable it by default for the js cli as well. either way i guess i just drop the flag?

the only downside seems to be some Linux distros don't manage the system certificates well?

that sucks but i can't say i care 🫠 since this is only concerning dev machines i don't think it matters, what would you like to do?

[Legend-Master]

i meant to enable it by default for the js cli as well. either way i guess i just drop the flag?

To be fair, since we already have a few other related flags, I don't mind having this feature flag

that sucks but i can't say i care 🫠 since this is only concerning dev machines i don't think it matters, what would you like to do?

I would say yeah, go for rustls-platform-verifier + rustls, I believe rustup also uses it so if they would hit the problem installing rust first before hitting this one 🙃