Load certificates from systems keychain on darwin

[starbelly]

The systems root keychain contains well know root certificates, yet is non-modifiable. As such, internal CA certificates (both root and intermediate) tend to get installed into the systems keychain in the context of an private organization. Not loading certs from this keychain results in differing behavior from other tools (e.g., openssl, curl, etc.). This commit changes to that so that ssl in conjunction with public key just works in such environments.

Resolves #8813

[github-actions]

CT Test Results

  2 files   17 suites   5m 29s ⏱️
285 tests 283 ✅ 2 💤 0 ❌
301 runs  299 ✅ 2 💤 0 ❌

Results for commit e461e03.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

• Complete CT logs (Download Logs)
• HTML Documentation (Download HTML Docs)
• Windows Installer

// Erlang/OTP Github Action Bot

[starbelly]

Note that a test in the appropriate test suite has not been added, I wasn't sure how that would play out since an import call would be needed a may require a password.

To manually test this one simply needs to install a certificate into the systems keychain, startup erl, then verify the presence of the installed cert via public_key:cacerts_get/0.

[starbelly]

Note that a test in the appropriate test suite has not been added, I wasn't sure how that would play out since an import call would be needed a may require a password.

To manually test this one simply needs to install a certificate into the systems keychain, startup erl, then verify the presence of the installed cert via public_key:cacerts_get/0.

Confirmed, this can not be easily tested in a suite.

[dgud]

@starbelly ping

[starbelly]

@starbelly ping

Apologies, I'll look at this tomorrow. Work whisked me away 😄

[starbelly]

@dgud is OTP team ok with having a test that is only run when an environment variable is set? My thought here is if in a VM on github, we can import certs conditionally per an env var, this would solve the issue of not importing a cert on peoples machines when their running tests locally.

[dgud]

Should we just skip it for now, we don't have any github action tests on Darwin now, and adding tests
that are not used feels like a bad idea.

[starbelly]

Should we just skip it for now, we don't have any github action tests on Darwin now, and adding tests
that are not used feels like a bad idea.

In this case I will adjust so that it doesn't result in a total failure if the systems keychain can not be read per your suggestion.

[starbelly]

Should we just skip it for now, we don't have any github action tests on Darwin now, and adding tests
that are not used feels like a bad idea.

In this case I will adjust so that it doesn't result in a total failure if the systems keychain can not be read per your suggestion.

Done.