| 18 Nov 2025 |
 WeetHet | What do they propose people use instead? | 18:53:53 |
 Randy Eckenrode | Eventually if/when we get a rustPackages, we can patch it not to do that. | 18:53:54 |
| WeetHet | What does swift use? | 18:54:34 |
| Randy Eckenrode | Network.framework. According to the curl devs, it doesn't look straightforward to use for what they need. | 18:55:10 |
| WeetHet | apple's swift-nio uses boringssl | 18:55:47 |
| Randy Eckenrode | Put of the box, it provides whatever frameworks are in the SDK. SwiftNIO appears to use Network.framework. | 18:59:28 |
| Randy Eckenrode | * Out of the box, it provides whatever frameworks are in the SDK. SwiftNIO appears to use Network.framework. | 18:59:38 |
| WeetHet | https://github.com/apple/swift-nio-ssl claims BoringSSL | 18:59:56 |
| Randy Eckenrode | https://github.com/apple/swift-nio-transport-services | 19:00:01 |
| Randy Eckenrode | It supports multiple TLS implementations. The latter is the one that does platform integration on Darwin platforms. | 19:00:52 |
| WeetHet | rustls also supports native keychain via https://lib.rs/crates/rustls-native-certs so even without Secure.framework someone might want to use keychain | 19:04:07 |
| WeetHet | I'm not sure what sandbox privileges it needs though | 19:04:21 |
| WeetHet | com.apple.SecurityServer is seemingly a Secure.framework thing | 19:07:01 |
| WeetHet | * com.apple.SecurityServer is seemingly a Secure.framework thing | 19:07:07 |
| WeetHet | Okay it fails on an unrelated thing, because it tries to access system proxy by default and gets
2025-11-18 21:23:01.093926+0200 localhost kernel[0]: (Sandbox) Sandbox: test-native(79417) deny(1) mach-lookup com.apple.SystemConfiguration.configd
| 19:29:06 |
|  jopejoe1 (4094@39c3) changed their display name from jopejoe1 to jopejoe1 (4094@39c3). | 20:18:53 |
| WeetHet | Why don't you work...
fetched-content> Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) }
building of '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv^out' from .drv file: build done
killing process 71696
builder process for '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv' finished
killing all processes running under uid '351'
lock released on '/nix/store/vjl83xzpf5nxihbp164nm7n1dakl85pj-fetched-content.lock'
building of '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv^out' from .drv file: done
building of '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv^out' from .drv file: goal destroyed
error: builder for '/nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv' failed with exit code 1;
last 1 log lines:
> Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) }
For full logs, run:
nix-store -l /nix/store/z3lg2ccma5grszxmkwdwvibdzlpd2gl0-fetched-content.drv
| 21:06:53 |
| Randy Eckenrode | Invalid certificate this time. Is the CA supposed to be in Keychain? | 21:10:24 |
| WeetHet | I'm working through the sandbox errors | 21:11:00 |
| WeetHet | For now I'm just allowing everything that fails | 21:11:11 |
| WeetHet | Then I'm gonna minimise the profile | 21:11:34 |
| WeetHet | This is for
[package]
name = "test-native"
version = "0.1.0"
edition = "2024"
[dependencies]
tokio = { version = "1.48.0", features = ["macros", "rt-multi-thread"] }
[dependencies.reqwest]
version = "0.12.24"
default-features = false
features = [
"rustls-tls-native-roots",
"charset",
"http2",
"system-proxy"
]
| 21:12:14 |
| WeetHet | Fixing the system-proxy failure was easy but rustls-tls-native-roots does something weird | 21:13:13 |
| WeetHet | It's not pretty:
; Allow system proxy
(allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
; Allow native TLS
(allow mach-lookup
(global-name "com.apple.SecurityServer"))
(allow file-read-data
(literal "/Library/Keychains/System.keychain")
(literal "/System/Library/Keychains/SystemRootCertificates.keychain")
(literal "/System/Library/Keychains/SystemTrustSettings.plist"))
(allow file-read-metadata
(literal "/Library/Keychains/System.keychain")
(literal "/System/Library/Keychains/SystemRootCertificates.keychain")
(literal "/System/Library/Keychains/SystemTrustSettings.plist"))
| 21:40:48 |
| WeetHet | * It's not pretty:
; Allow system proxy
(allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
; Allow native TLS
(allow mach-lookup
(global-name "com.apple.SecurityServer"))
(allow file-read-data
(literal "/Library/Keychains/System.keychain")
(literal "/System/Library/Keychains/SystemRootCertificates.keychain")
(literal "/System/Library/Keychains/SystemTrustSettings.plist"))
| 21:42:26 |
| WeetHet | Need to test with an actual nix-build still but I think this is all | 21:43:08 |
| WeetHet | * It's not pretty:
; Allow system proxy
(allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
; Allow native TLS
(allow mach-lookup (global-name "com.apple.SecurityServer"))
(allow file-read-data
(literal "/Library/Keychains/System.keychain")
(literal "/System/Library/Keychains/SystemRootCertificates.keychain")
(literal "/System/Library/Keychains/SystemTrustSettings.plist"))
| 21:44:34 |
| WeetHet | None of these can be removed | 21:44:50 |
| WeetHet | Wait it doesn't work | 21:47:15 |
| WeetHet | Wait what | 22:28:27 |
