[curl] Add apple-sectrust feature by awesomekling · Pull Request #51089 · microsoft/vcpkg

awesomekling · 2026-04-10T09:27:00Z

Expose curl's USE_APPLE_SECTRUST option as a macOS-only feature.

This lets ports opt into Apple's native certificate verification for compatible curl TLS backends without changing curl's default behavior.

This can avoid certificate verification failures on macOS for sites that are trusted by the system trust store but not by a plain OpenSSL setup.

Changes comply with the maintainer guide.
~~SHA512s are updated for each updated download.~~
The "supports" clause reflects platforms that may be fixed by this new version, or no changes were necessary.
Any fixed CI baseline and CI feature baseline entries are removed from that file, or no entries needed to be changed.
All patch files in the port are applied and succeed.
The version database is fixed by rerunning ./vcpkg x-add-version --all and committing the result.
Exactly one version is added in each modified versions file.

awesomekling · 2026-04-10T09:28:22Z

@microsoft-github-policy-service agree

BillyONeal

I think you need a

curl[core,apple-sectrust,mbedtls]=options
curl[core,apple-sectrust,wolfssl]=options

in ci.feature.baseline.txt. But I also don't see why this really should be a feature in the first place....

BillyONeal · 2026-04-10T20:29:57Z

ports/curl/portfile.cmake

    list(APPEND FEATURE_OPTIONS -DCURL_USE_SCHANNEL=ON)
 endif()

+if("apple-sectrust" IN_LIST FEATURES)


Should this even be a feature or should we always just do it? (It's hard to imagine a case where one does not want this behavior)

BillyONeal · 2026-04-10T20:32:12Z

ports/curl/portfile.cmake

-        rtmp        USE_LIBRTMP
-        httpsrr     USE_HTTPSRR
-        ssls-export USE_SSLS_EXPORT
+        apple-sectrust USE_APPLE_SECTRUST


This looks like a newlines change but it isn't, the file is still correctly LF, this is just inserting extra spaces to get the options to line up again now that apple-sectrust is longer.

No change requested.

BillyONeal · 2026-04-10T21:04:22Z

It looks like this doesn't currently blow up because we already have:

curl[core,http3,gnutls]=options
curl[core,http3,mbedtls]=options
curl[core,http3,wolfssl]=options

so the combined feature test picks http3 and excludes gnutls, mbedtls and wolfssl. But I still think we should add lines for this (if it remains as a feature)

dg0yt · 2026-04-11T06:13:30Z

ports/curl/vcpkg.json

+      "dependencies": [
+        "openssl"
+      ]
+    },


Does this feature depend on openssl libs?

And do we want an apple-specific feature? A similar capability exists for Windows (CURL_CA_NATIVE).

[curl] Add apple-sectrust feature

b69de3f

BillyONeal reviewed Apr 10, 2026

View reviewed changes

BillyONeal marked this pull request as draft April 11, 2026 00:36

dg0yt reviewed Apr 11, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[curl] Add apple-sectrust feature#51089

[curl] Add apple-sectrust feature#51089
awesomekling wants to merge 1 commit intomicrosoft:masterfrom
awesomekling:curl-apple-sectrust

awesomekling commented Apr 10, 2026

Uh oh!

awesomekling commented Apr 10, 2026

Uh oh!

BillyONeal left a comment

Uh oh!

BillyONeal Apr 10, 2026

Uh oh!

BillyONeal Apr 10, 2026

Uh oh!

BillyONeal commented Apr 10, 2026

Uh oh!

dg0yt Apr 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

awesomekling commented Apr 10, 2026

Uh oh!

awesomekling commented Apr 10, 2026

Uh oh!

BillyONeal left a comment

Choose a reason for hiding this comment

Uh oh!

BillyONeal Apr 10, 2026

Choose a reason for hiding this comment

Uh oh!

BillyONeal Apr 10, 2026

Choose a reason for hiding this comment

Uh oh!

BillyONeal commented Apr 10, 2026

Uh oh!

dg0yt Apr 11, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants