Skip to content

fix: loading of uv certificates#5313

Merged
tdejager merged 1 commit intoprefix-dev:mainfrom
tdejager:fix/uv-cert-loading
Jan 16, 2026
Merged

fix: loading of uv certificates#5313
tdejager merged 1 commit intoprefix-dev:mainfrom
tdejager:fix/uv-cert-loading

Conversation

@tdejager
Copy link
Contributor

@tdejager tdejager commented Jan 16, 2026

Description

Fixes: prefix-dev/pixi-docker#134

This changes the way when we tell uv to load the built-in certificates.

How Has This Been Tested?

Test reproduction:

FROM ghcr.io/prefix-dev/pixi:0.63.1
COPY pyproject.toml ./
RUN pixi install

With a pyproject.toml containing a PyPI dependency (e.g., polars).

E.g

# pyproject.toml
[project]
dependencies = []
name = "tmp.s5BuMt3dvU"
requires-python = ">= 3.11"
version = "0.1.0"

[build-system]
build-backend = "hatchling.build"
requires = ["hatchling"]

[tool.pixi.workspace]
channels = ["conda-forge"]
platforms = ["osx-arm64", "linux-aarch64", "linux-64"]

[tool.pixi.pypi-dependencies]
polars = "*"

Verified this by: Built pixi from this branch inside a Docker container and confirmed pixi install now succeeds without certificate errors. Like this

# Build stage - compile pixi from source
FROM rust:1.86 AS builder
WORKDIR /build
COPY pixi-src/ .
RUN cargo build -p pixi

# Runtime stage
FROM ghcr.io/prefix-dev/pixi:0.63.1
COPY --from=builder /build/target/debug/pixi /usr/local/bin/pixi
COPY pyproject.toml ./
# COPY pixi.lock ./
RUN pixi install

This means pixi-src needs to be available :)

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas

tdejager
tdejager commented Jan 16, 2026
View reviewed changes
crates/pixi_utils/src/reqwest.rs
Comment on lines +72 to +74
pub fn should_use_native_tls_for_uv() -> bool {
return tls_backend() == "native-tls";
}
Copy link
Contributor Author

@tdejager tdejager Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now just enable native-tls when we do.

tdejager
tdejager commented Jan 16, 2026
View reviewed changes
crates/pixi_utils/src/reqwest.rs
/// Determines whether we should load all builtin certificates
/// for uv
pub fn should_use_builtin_certs_uv(config: &Config) -> bool {
matches!(config.tls_root_certs(), pixi_config::TlsRootCerts::All)
Copy link
Contributor Author

@tdejager tdejager Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When it's all we use (all) builtin.

@tdejager tdejager force-pushed the fix/uv-cert-loading branch from e5453d3 to 9291616 Compare January 16, 2026 13:24
@tdejager tdejager requested a review from nichmor January 16, 2026 13:27
@tdejager tdejager force-pushed the fix/uv-cert-loading branch from 9291616 to 8f1a07c Compare January 16, 2026 13:52
@tdejager tdejager enabled auto-merge (squash) January 16, 2026 14:36
@tdejager tdejager merged commit 27f7ad6 into prefix-dev:main Jan 16, 2026
105 of 107 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jan 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nichmor nichmor nichmor approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

certificate error on 0.63.0/0.63.1 when using pypi-dependencies

2 participants

@tdejager @nichmor