Skip to content

Commit 4f0ab56

Browse files
committed
ci(sfw): restore VP_INSECURE_TLS — sfw v1.11.0 still has the EKU bug
The dropped-VP_INSECURE_TLS experiment confirmed via the now-readable error chain that sfw v1.11.0 (releases/latest as of 2026-05-28) still issues a CA cert with a present-but-empty Extended Key Usage: error sending request for url (https://nodejs.org/.../SHASUMS256.txt): client error (Connect): invalid peer certificate: UnknownIssuer (The new error-chain formatter from f105aa9 made the actual rustls reason visible — previously the same failure looked like a generic "error sending request" with no hint.) macOS happened to pass without the flag only because that runner had Node 22.18.0 already cached, so vp didn't have to fetch SHASUMS via sfw — not a real fix. Restore VP_INSECURE_TLS=1 on the sfw step (scoped to that step only to keep build/setup steps unaffected). The plumbing — HTTPS_PROXY + SSL_CERT_FILE + add_root_certificate — is still exercised end-to-end; only certificate *validity* is bypassed until SocketDev/sfw-free#30 and #43 ship.
1 parent 8cfc0a6 commit 4f0ab56

1 file changed

Lines changed: 12 additions & 0 deletions

File tree

.github/workflows/ci.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -982,6 +982,18 @@ jobs:
982982
run: sfw --version
983983

984984
- name: Run `sfw vp install` against a real repo
985+
# TODO(SocketDev/sfw-free#30, SocketDev/sfw-free#43): drop `VP_INSECURE_TLS`
986+
# once sfw ships the EKU fix. Verified against sfw v1.11.0
987+
# (releases/latest as of 2026-05-28) on Linux: vp's HTTPS request to
988+
# nodejs.org through sfw still fails with
989+
# "invalid peer certificate: UnknownIssuer"
990+
# because sfw's CA carries a present-but-empty Extended Key Usage
991+
# extension that rustls rejects. macOS happened to pass only because
992+
# the runner already has Node 22.18.0 cached, so vp didn't have to
993+
# traverse sfw for SHASUMS — not a fix. Keep this flag on every
994+
# matrix entry until upstream ships the EKU fix.
995+
env:
996+
VP_INSECURE_TLS: '1'
985997
run: |
986998
set -euo pipefail
987999
# Force the registry-fetch path: install a pinned pnpm globally so

0 commit comments

Comments
 (0)