Does this issue occur when all extensions are disabled?: Yes
- VS Code Version: any
- OS Version: macOS
Steps to Reproduce:
on macOS, vscode/proxy-agent uses:
https://github.com/microsoft/vscode-proxy-agent/blob/ef240a475dd742e2ecfcb65b0a1722817aacce81/src/index.ts#L860-L862
async function readMacCaCertificates() {
const stdout = await new Promise<string>((resolve, reject) => {
const child = cp.spawn('/usr/bin/security', ['find-certificate', '-a', '-p']);this returns all the certificates in the keychain, regardless of trust settings. by default, when installing a new cert on modern version of macOS, it is not trusted:
contrast this with the new --use-system-ca flag in nodejs v23, which looks at the individual trust settings of each imported cert:
https://github.com/nodejs/node/blob/25842c5e35efb45df169e591c775a3c4f853556d/src/crypto/crypto_context.cc#L367-L375
TrustStatus IsTrustSettingsTrustedForPolicy(CFArrayRef trust_settings,
bool is_self_issued) {
// The trust_settings parameter can return a valid but empty CFArrayRef.
// This empty trust-settings array means “always trust this certificate”
// with an overall trust setting for the certificate of
// kSecTrustSettingsResultTrustRoot
if (CFArrayGetCount(trust_settings) == 0) {
return is_self_issued ? TrustStatus::TRUSTED : TrustStatus::UNSPECIFIED;
} 
Does this issue occur when all extensions are disabled?: Yes
Steps to Reproduce:
on macOS, vscode/proxy-agent uses:
https://github.com/microsoft/vscode-proxy-agent/blob/ef240a475dd742e2ecfcb65b0a1722817aacce81/src/index.ts#L860-L862
this returns all the certificates in the keychain, regardless of trust settings. by default, when installing a new cert on modern version of macOS, it is not trusted:
contrast this with the new
--use-system-caflag in nodejs v23, which looks at the individual trust settings of each imported cert:https://github.com/nodejs/node/blob/25842c5e35efb45df169e591c775a3c4f853556d/src/crypto/crypto_context.cc#L367-L375