add: additional key path for macos

[ajbt200128]

On MacOS it's normal[1] to add custom certificates to /Library/Keychains/System.keychain in addition to /System/Library/Keychains/SystemRootCertificates.keychain. This PR now checks both locations and concatenates them

[1] https://apple.stackexchange.com/questions/53579/how-is-the-system-keychain-secured-in-os-x

[hannesm]

Thanks for your contribution, I had some minor remarks. Would be great to address them, then I can merge and cut a release.

[hannesm]

I took the liberty to rebase to main and update the code as reviewed.

[hannesm]

The remaining question I have is: from your linked stackoverflow article, "The System Keychain, /Library/Keychains/System.keychain, is a special Keychain for Apple and daemons to use. You should generally avoid using it for user level scripts."

So, are you sure that path should be added by default to the root certificates / trust anchors? Is there some authoritative documentation (from Apple) suggesting this? I'm not sure I follow your changes, and think that #20 is related -- so anyone with a macOS machine and some binding experience, it would be great to use the macOS API instead of security find-certificate

[ajbt200128]

I dug around and couldn't find anything on what to do with ssl certificates specifically, it looks like there is a per-user keychain though, so we could try using that one w/the apple API. But in general all of the programs I've used that require self signed certs (i.e proxies) usually ask users to use the system keychain

[hannesm]

Thanks for your research. When you say "all of the programs I've used that require self signed certs (i.e proxies) usually ask users to use the system keychain", are those being installed into /System/Library/Keychains/SystemRootCertificates.keychain?

[hannesm]

After some time passed by, I'm fine to merge this finally. Thanks a lot. If there's any drawback, I'm sure some macOS user will report.