feat: keep backwards compatibility with SSL_CERT_FILE without requiring --native-tls (#2401)

## Summary Small follow up to https://github.com/astral-sh/uv/pull/2362 to check if `SSL_CERT_FILE` is set to enable `--native-tls` functionality. This maintains backwards compatibility with `0.1.17` and below users leveraging only `SSL_CERT_FILE`. Closes https://github.com/astral-sh/uv/issues/2400 ## Test Plan  Assuming `SSL_CERT_FILE` is already working via `--native-tls`, this is simply a shortcut to enable `--native-tls` functionality implicitly while still being able to let `rustls-native-certs` handle the loading of `SSL_CERT_FILE` instead of ourselves. Edit: Manually tested by setting up own self-signed CA certificate bundle and set `SSL_CERT_FILE` to this and confirmed the loading happens without having to specify `--native-tls`.
2025-08-04 10:58:28 +00:00 · 2024-03-13 00:33:10 -04:00 · 2024-03-13 00:33:10 -04:00 · e0ac5b4e84
commit e0ac5b4e84
parent 99c992e38b
2 changed files with 15 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -435,8 +435,8 @@ system's certificate store. To instruct uv to use the system's trust store, run
 `--native-tls` command-line flag.

 If a direct path to the certificate is required (e.g., in CI), set the `SSL_CERT_FILE` environment
-variable to the path of the certificate bundle (alongside the `--native-tls` flag), to instruct uv
-to use that file instead of the system's trust store.
+variable to the path of the certificate bundle, to instruct uv to use that file instead of the
+system's trust store.

 ## Acknowledgements

--- a/crates/uv-client/src/registry_client.rs
+++ b/crates/uv-client/src/registry_client.rs
@ -23,6 +23,7 @@ use pep440_rs::Version;
 use pypi_types::{Metadata23, SimpleJson};
 use uv_auth::safe_copy_url_auth;
 use uv_cache::{Cache, CacheBucket, WheelCache};
+use uv_fs::Simplified;
 use uv_normalize::PackageName;
 use uv_version::version;
 use uv_warnings::warn_user_once;
@ -119,8 +120,19 @@ impl RegistryClientBuilder {

        // Initialize the base client.
        let client = self.client.unwrap_or_else(|| {
+            // Check for the presence of an `SSL_CERT_FILE`.
+            let ssl_cert_file_exists = env::var_os("SSL_CERT_FILE").is_some_and(|path| {
+                let path_exists = Path::new(&path).exists();
+                if !path_exists {
+                    warn_user_once!(
+                        "Ignoring invalid `SSL_CERT_FILE`. File does not exist: {}.",
+                        path.simplified_display()
+                    );
+                }
+                path_exists
+            });
            // Load the TLS configuration.
-            let tls = tls::load(if self.native_tls {
+            let tls = tls::load(if self.native_tls || ssl_cert_file_exists {
                Roots::Native
            } else {
                Roots::Webpki