feat(bundler/cli): Add feature flag to use system certificates (#13824)

Author: FabianLars

.changes/feat-bundler-platform-certs.md

@@ -0,0 +1,7 @@
+---
+"tauri-bundler": "minor:enhance"
+"tauri-cli": "minor:enhance"
+"@tauri-apps/cli": "minor:enhance"
+---
+
+The bundler and cli will now read TLS Certificates installed on the system when downloading tools and checking versions.

Cargo.lock

@@ -74,7 +74,8 @@ name = "tauri_bundler"
 path = "src/lib.rs"
 
 [features]
-default = ["rustls"]
+default = ["rustls", "platform-certs"]
 native-tls = ["ureq/native-tls"]
 native-tls-vendored = ["native-tls", "native-tls/vendored"]
 rustls = ["ureq/rustls"]
+platform-certs = ["ureq/platform-verifier"]

crates/tauri-bundler/Cargo.toml

@@ -8,7 +8,7 @@ use std::{
 };
 use ureq::ResponseExt;
 
-use crate::utils::http_utils::download;
+use crate::utils::http_utils::{base_ureq_agent, download};
 
 pub const WEBVIEW2_BOOTSTRAPPER_URL: &str = "https://go.microsoft.com/fwlink/p/?LinkId=2124703";
 pub const WEBVIEW2_OFFLINE_INSTALLER_X86_URL: &str =
@@ -23,10 +23,7 @@ pub const WIX_OUTPUT_FOLDER_NAME: &str = "msi";
 pub const WIX_UPDATER_OUTPUT_FOLDER_NAME: &str = "msi-updater";
 
 pub fn webview2_guid_path(url: &str) -> crate::Result<(String, String)> {
-  let agent: ureq::Agent = ureq::Agent::config_builder()
-    .proxy(ureq::Proxy::try_from_env())
-    .build()
-    .into();
+  let agent = base_ureq_agent();
   let response = agent.head(url).call().map_err(Box::new)?;
   let final_url = response.get_uri().to_string();
   let remaining_url = final_url.strip_prefix(WEBVIEW2_URL_PREFIX).ok_or_else(|| {

crates/tauri-bundler/src/bundle/windows/util.rs

@@ -51,13 +51,26 @@ fn generate_github_alternative_url(url: &str) -> Option<(ureq::Agent, String)> {
 }
 
 fn create_agent_and_url(url: &str) -> (ureq::Agent, String) {
-  generate_github_alternative_url(url).unwrap_or((
-    ureq::Agent::config_builder()
-      .proxy(ureq::Proxy::try_from_env())
-      .build()
-      .into(),
-    url.to_owned(),
-  ))
+  generate_github_alternative_url(url).unwrap_or((base_ureq_agent(), url.to_owned()))
+}
+
+pub(crate) fn base_ureq_agent() -> ureq::Agent {
+  #[cfg(feature = "platform-certs")]
+  let agent: ureq::Agent = ureq::Agent::config_builder()
+    .tls_config(
+      ureq::tls::TlsConfig::builder()
+        .root_certs(ureq::tls::RootCerts::PlatformVerifier)
+        .build(),
+    )
+    .proxy(ureq::Proxy::try_from_env())
+    .build()
+    .into();
+  #[cfg(not(feature = "platform-certs"))]
+  let agent: ureq::Agent = ureq::Agent::config_builder()
+    .proxy(ureq::Proxy::try_from_env())
+    .build()
+    .into();
+  agent
 }
 
 #[allow(dead_code)]

crates/tauri-bundler/src/utils/http_utils.rs

@@ -138,11 +138,12 @@ object = { version = "0.36", default-features = false, features = [
 ar = "0.9"
 
 [features]
-default = ["rustls"]
+default = ["rustls", "platform-certs"]
 native-tls = [
   "tauri-bundler/native-tls",
   "cargo-mobile2/native-tls",
   "ureq/native-tls",
 ]
 native-tls-vendored = ["native-tls", "tauri-bundler/native-tls-vendored"]
 rustls = ["tauri-bundler/rustls", "cargo-mobile2/rustls", "ureq/rustls"]
+platform-certs = ["tauri-bundler/platform-certs", "ureq/platform-verifier"]

crates/tauri-cli/Cargo.toml

@@ -117,6 +117,19 @@ struct CrateIoGetResponse {
 pub fn crate_latest_version(name: &str) -> Option<String> {
   // Reference: https://github.com/rust-lang/crates.io/blob/98c83c8231cbcd15d6b8f06d80a00ad462f71585/src/controllers/krate/metadata.rs#L88
   let url = format!("https://crates.io/api/v1/crates/{name}?include");
+  #[cfg(feature = "platform-certs")]
+  let mut response = {
+    let agent = ureq::Agent::config_builder()
+      .tls_config(
+        ureq::tls::TlsConfig::builder()
+          .root_certs(ureq::tls::RootCerts::PlatformVerifier)
+          .build(),
+      )
+      .build()
+      .new_agent();
+    agent.get(&url).call().ok()?
+  };
+  #[cfg(not(feature = "platform-certs"))]
   let mut response = ureq::get(&url).call().ok()?;
   let metadata: CrateIoGetResponse =
     serde_json::from_reader(response.body_mut().as_reader()).unwrap();