From ad641e5d61aab8bf3ab24e9d0c9faf16ec5be10c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 15 Apr 2026 13:03:39 +0200 Subject: [PATCH 1/2] cmd/docker-trust: use stdlib's x509.SystemCertPool on Windows The `tlsconfig.SystemCertPool` utility in go-connections was added in [docker/go-connections@55aadc3], at which time Go stdlib didn't support system-pools ([x509.SystemCertPool]) on Windows, so an empty pool was constructed. Support for system pools on Windows originally added in Go 1.8 (through [golang/go@05471e9]), but reverted, and re-implemented in Go 1.18 (through [golang/go@3544082]). Go 1.18 and up now implement this, but, unlike Linux, which uses a pure-Go implementation, certificate validation is handled by the system: > On macOS and Windows, certificate verification is handled by system APIs, > but the package aims to apply consistent validation rules across operating > systems. On macOS and Windows, x509.SystemCertPool returns an empty Pool, with the `systemPool` set to `true` (see [loadSystemRoots]). This must be considered an implementation detail; custom CAs can be appended to this pool, and handled as usual. This patch removes the special handling on Windows, removing the dependency on go-connections for this part. [docker/go-connections@55aadc3]: https://github.com/docker/go-connections/commit/55aadc3cc561684699edcdd0921b9293c3ee6b49 [golang/go@05471e9]: https://github.com/golang/go/commit/05471e9ee64a300bd2dcc4582ee1043c055893bb [golang/go@3544082]: https://github.com/golang/go/commit/3544082f75fd3d2df7af237ed9aef3ddd499ab9c [x509.SystemCertPool]: https://pkg.go.dev/crypto/x509#SystemCertPool [loadSystemRoots]: https://cs.opensource.google/go/go/+/refs/tags/go1.26.1:src/crypto/x509/root_windows.go;l=15-17 Signed-off-by: Sebastiaan van Stijn --- cmd/docker-trust/internal/registry/registry.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/docker-trust/internal/registry/registry.go b/cmd/docker-trust/internal/registry/registry.go index dce11dcc0691..e7c228490082 100644 --- a/cmd/docker-trust/internal/registry/registry.go +++ b/cmd/docker-trust/internal/registry/registry.go @@ -4,13 +4,13 @@ package registry import ( "context" "crypto/tls" + "crypto/x509" "fmt" "net/http" "os" "path/filepath" "github.com/docker/distribution/registry/client/transport" - "github.com/docker/go-connections/tlsconfig" "github.com/sirupsen/logrus" ) @@ -48,7 +48,7 @@ func loadTLSConfig(ctx context.Context, directory string, tlsConfig *tls.Config) switch filepath.Ext(f.Name()) { case ".crt": if tlsConfig.RootCAs == nil { - systemPool, err := tlsconfig.SystemCertPool() + systemPool, err := x509.SystemCertPool() if err != nil { return invalidParam(fmt.Errorf("unable to get system cert pool: %w", err)) } From 0d32fde8e3df94bd56ef7d35949282f356c4fd55 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 15 Apr 2026 13:04:15 +0200 Subject: [PATCH 2/2] internal/registry: use stdlib's x509.SystemCertPool on Windows The `tlsconfig.SystemCertPool` utility in go-connections was added in [docker/go-connections@55aadc3], at which time Go stdlib didn't support system-pools ([x509.SystemCertPool]) on Windows, so an empty pool was constructed. Support for system pools on Windows originally added in Go 1.8 (through [golang/go@05471e9]), but reverted, and re-implemented in Go 1.18 (through [golang/go@3544082]). Go 1.18 and up now implement this, but, unlike Linux, which uses a pure-Go implementation, certificate validation is handled by the system: > On macOS and Windows, certificate verification is handled by system APIs, > but the package aims to apply consistent validation rules across operating > systems. On macOS and Windows, x509.SystemCertPool returns an empty Pool, with the `systemPool` set to `true` (see [loadSystemRoots]). This must be considered an implementation detail; custom CAs can be appended to this pool, and handled as usual. This patch removes the special handling on Windows, removing the dependency on go-connections for this part. [docker/go-connections@55aadc3]: https://github.com/docker/go-connections/commit/55aadc3cc561684699edcdd0921b9293c3ee6b49 [golang/go@05471e9]: https://github.com/golang/go/commit/05471e9ee64a300bd2dcc4582ee1043c055893bb [golang/go@3544082]: https://github.com/golang/go/commit/3544082f75fd3d2df7af237ed9aef3ddd499ab9c [x509.SystemCertPool]: https://pkg.go.dev/crypto/x509#SystemCertPool [loadSystemRoots]: https://cs.opensource.google/go/go/+/refs/tags/go1.26.1:src/crypto/x509/root_windows.go;l=15-17 Signed-off-by: Sebastiaan van Stijn --- internal/registry/registry.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/registry/registry.go b/internal/registry/registry.go index 7832529ee671..667f129bc1e4 100644 --- a/internal/registry/registry.go +++ b/internal/registry/registry.go @@ -4,6 +4,7 @@ package registry import ( "context" "crypto/tls" + "crypto/x509" "fmt" "net" "net/http" @@ -74,7 +75,7 @@ func loadTLSConfig(ctx context.Context, directory string, tlsConfig *tls.Config) switch filepath.Ext(f.Name()) { case ".crt": if tlsConfig.RootCAs == nil { - systemPool, err := tlsconfig.SystemCertPool() + systemPool, err := x509.SystemCertPool() if err != nil { return invalidParam(fmt.Errorf("unable to get system cert pool: %w", err)) }