diff --git a/README.md b/README.md index 893068978..421680f36 100644 --- a/README.md +++ b/README.md @@ -435,8 +435,8 @@ system's certificate store. To instruct uv to use the system's trust store, run `--native-tls` command-line flag. If a direct path to the certificate is required (e.g., in CI), set the `SSL_CERT_FILE` environment -variable to the path of the certificate bundle (alongside the `--native-tls` flag), to instruct uv -to use that file instead of the system's trust store. +variable to the path of the certificate bundle, to instruct uv to use that file instead of the +system's trust store. ## Acknowledgements diff --git a/crates/uv-client/src/registry_client.rs b/crates/uv-client/src/registry_client.rs index b1d6aaf5c..42b12db81 100644 --- a/crates/uv-client/src/registry_client.rs +++ b/crates/uv-client/src/registry_client.rs @@ -23,6 +23,7 @@ use pep440_rs::Version; use pypi_types::{Metadata23, SimpleJson}; use uv_auth::safe_copy_url_auth; use uv_cache::{Cache, CacheBucket, WheelCache}; +use uv_fs::Simplified; use uv_normalize::PackageName; use uv_version::version; use uv_warnings::warn_user_once; @@ -119,8 +120,19 @@ impl RegistryClientBuilder { // Initialize the base client. let client = self.client.unwrap_or_else(|| { + // Check for the presence of an `SSL_CERT_FILE`. + let ssl_cert_file_exists = env::var_os("SSL_CERT_FILE").is_some_and(|path| { + let path_exists = Path::new(&path).exists(); + if !path_exists { + warn_user_once!( + "Ignoring invalid `SSL_CERT_FILE`. File does not exist: {}.", + path.simplified_display() + ); + } + path_exists + }); // Load the TLS configuration. - let tls = tls::load(if self.native_tls { + let tls = tls::load(if self.native_tls || ssl_cert_file_exists { Roots::Native } else { Roots::Webpki