vscode/proxy-agent uses untrusted certificates on macOS #247003

tmm1 · 2025-04-20T03:40:53Z

Does this issue occur when all extensions are disabled?: Yes

VS Code Version: any
OS Version: macOS

Steps to Reproduce:

on macOS, vscode/proxy-agent uses:

https://github.com/microsoft/vscode-proxy-agent/blob/ef240a475dd742e2ecfcb65b0a1722817aacce81/src/index.ts#L860-L862

async function readMacCaCertificates() {
	const stdout = await new Promise<string>((resolve, reject) => {
		const child = cp.spawn('/usr/bin/security', ['find-certificate', '-a', '-p']);

this returns all the certificates in the keychain, regardless of trust settings. by default, when installing a new cert on modern version of macOS, it is not trusted:

contrast this with the new --use-system-ca flag in nodejs v23, which looks at the individual trust settings of each imported cert:

https://github.com/nodejs/node/blob/25842c5e35efb45df169e591c775a3c4f853556d/src/crypto/crypto_context.cc#L367-L375

TrustStatus IsTrustSettingsTrustedForPolicy(CFArrayRef trust_settings,
                                            bool is_self_issued) {
  // The trust_settings parameter can return a valid but empty CFArrayRef.
  // This empty trust-settings array means “always trust this certificate”
  // with an overall trust setting for the certificate of
  // kSecTrustSettingsResultTrustRoot
  if (CFArrayGetCount(trust_settings) == 0) {
    return is_self_issued ? TrustStatus::TRUSTED : TrustStatus::UNSPECIFIED;
  }

The text was updated successfully, but these errors were encountered:

vs-code-engineering bot assigned chrmarti Apr 20, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vscode/proxy-agent uses untrusted certificates on macOS #247003

vscode/proxy-agent uses untrusted certificates on macOS #247003

tmm1 commented Apr 20, 2025

vscode/proxy-agent uses untrusted certificates on macOS #247003

vscode/proxy-agent uses untrusted certificates on macOS #247003

Comments

tmm1 commented Apr 20, 2025