From fec14910dc20b5258061ec55d5ee9d5d6987f24e Mon Sep 17 00:00:00 2001
From: Daniel Szoke <daniel.szoke@sentry.io>
Date: Wed, 7 Jan 2026 11:32:09 +0100
Subject: [PATCH] fix: Support self-signed SSL certs in macOS keychain (arm64)
 (#3057)

### Description

Fix a regression introduced with the `curl-sys` dependency bump in [2.56.1](https://github.com/getsentry/sentry-cli/releases/tag/2.56.1); the dependency removed support for Secure Transport in libcurl, switching the default to OpenSSL, which was statically linked via the `static-ssl` feature flag. This statically-linked version lacks support for reading trusted certificates from the macOS Keychain.

In this PR, we swap the statically-linked curl (and statically linked OpenSSL) for dynamically linking libcurl on macOS only (keeping the statically linked libraries for other platforms). Since curl is built into macOS, introducing this runtime dependency hopefully will not break anyone. And, since the built-in libcurl does read certs from the macOS Keychain, this should fix the regression from version 2.56.1.

### Issues

- Resolves #3054
- Resolves [CLI-256](https://linear.app/getsentry/issue/CLI-256/self-signed-certificate-problem-since-2561)
---
 CHANGELOG.md | 6 ++++++
 Cargo.toml   | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b6da70b512..190386bf1e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## Unreleased
+
+### Fixes
+
+- Fixed a bug on ARM-based macOS systems that prevented Sentry CLI from respecting self-signed certificates trusted in the macOS keychain ([#3057](https://github.com/getsentry/sentry-cli/issues/3057)).
+
 ## 3.0.1
 
 ### Performance Improvements
diff --git a/Cargo.toml b/Cargo.toml
index e5a6abef89..b107ea4d4b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -24,7 +24,7 @@ clap = { version = "4.1.6", default-features = false, features = [
 ] }
 clap_complete = "4.4.3"
 console = "0.15.5"
-curl = { version = "0.4.46", features = ["static-curl", "static-ssl"] }
+curl = { version = "0.4.46" }
 dirs = "4.0.0"
 dotenvy = "0.15.7"
 elementtree = "1.2.3"
@@ -127,6 +127,12 @@ openssl-probe = "0.1.5"
 [target."cfg(windows)".dependencies]
 windows-sys = { version = "0.59.0", features = ["Win32_Storage_FileSystem"] }
 
+# Use static curl/SSL on all platforms except ARM-based macOS.
+# We link dynamically on ARM macOS; that way we can support self-signed certificates
+# trusted in the macOS keychain.
+[target."cfg(not(all(target_os = \"macos\", target_arch = \"aarch64\")))".dependencies]
+curl = { version = "0.4.46", features = ["static-curl", "static-ssl"] }
+
 # We optimize the release build for size.
 [profile.release]
 opt-level = 2       # I obtained the smallest binary size with opt-level 2 on my system.