cacerts

package
v1.220.0-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 25, 2026 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package cacerts locates a system-trusted CA bundle for use with subprocesses whose own certificate stores can't be trusted to validate modern TLS chains.

The canonical case is PyInstaller-bundled Python tools (checkov is the one we hit first; infracost, terraform-cost-estimation, snyk, sentry-cli, aws-cli v1, etc. all share the same bundling shape): the frozen `certifi` PEM inside the binary doesn't pick up new intermediate certs or updated chains until the maintainer rebuilds. Setting SSL_CERT_FILE and/or REQUESTS_CA_BUNDLE in the subprocess environment lets those tools fall back to the host's CA store, which is kept up to date by the OS or package manager.

Find() returns the first existing well-known CA bundle path for the host platform, or empty string when none is found. On Windows there is no canonical file-based bundle (the system uses SCHANNEL), so callers should expect "" and let the subprocess fall back to its own logic.

Index

Constants

View Source 
const (
	EnvSSLCertFile      = "SSL_CERT_FILE"
	EnvRequestsCABundle = "REQUESTS_CA_BUNDLE"
)

EnvVars are the canonical environment variable names downstream tools look at to override their built-in CA store. Setting both covers the common Python landscape: `requests` uses REQUESTS_CA_BUNDLE first; the standard library `ssl` module uses SSL_CERT_FILE.

Variables

This section is empty.

Functions

func Env 

func Env() map[string]string

Env returns a map suitable for adding to a subprocess environment. Empty when no bundle is found; in that case callers should add nothing (leaving the subprocess to use whatever default it has).

Both EnvSSLCertFile and EnvRequestsCABundle are populated because Python tools split on which env var they honor — `ssl` uses the former, `requests` uses the latter. Setting both is cheap and safe; setting only one risks missing the tool that reads the other.

func Find 

func Find() string

Find returns the path to a system-trusted CA bundle for the host platform, or "" when none is found (notably on Windows). The first existing path from `candidates` is returned. The lookup is performed once per process and cached — CA bundle paths don't change during the lifetime of a CLI invocation.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.