Commit d5d5966
committed
ci(sfw): restore VP_INSECURE_TLS — sfw v1.11.0 still has the EKU bug
The dropped-VP_INSECURE_TLS experiment confirmed via the now-readable
error chain that sfw v1.11.0 (releases/latest as of 2026-05-28) still
issues a CA cert with a present-but-empty Extended Key Usage:
error sending request for url (https://nodejs.org/.../SHASUMS256.txt):
client error (Connect): invalid peer certificate: UnknownIssuer
(The new error-chain formatter from f105aa9 made the actual rustls
reason visible — previously the same failure looked like a generic
"error sending request" with no hint.)
macOS happened to pass without the flag only because that runner had
Node 22.18.0 already cached, so vp didn't have to fetch SHASUMS via
sfw — not a real fix.
Restore VP_INSECURE_TLS=1 on the sfw step (scoped to that step only
to keep build/setup steps unaffected). The plumbing — HTTPS_PROXY +
SSL_CERT_FILE + add_root_certificate — is still exercised end-to-end;
only certificate *validity* is bypassed until SocketDev/sfw-free#30
and #43 ship.1 parent 5dd1f99 commit d5d5966
1 file changed
Lines changed: 12 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
982 | 982 | | |
983 | 983 | | |
984 | 984 | | |
| 985 | + | |
| 986 | + | |
| 987 | + | |
| 988 | + | |
| 989 | + | |
| 990 | + | |
| 991 | + | |
| 992 | + | |
| 993 | + | |
| 994 | + | |
| 995 | + | |
| 996 | + | |
985 | 997 | | |
986 | 998 | | |
987 | 999 | | |
| |||
0 commit comments