Support passing `--cert` and setting `cert` in `uv.toml`

[kohlrabi]

With the merge of #6591 it is now possible to trust hosts to disable certificate verification, but compared to pip the "other way" around, providing a valid cert, is still a bit a bit lacking. I know it's currently possible to set a path to a cert file using SSL_CERT_FILE, but I think it would be more in line with pip and more consistent if --cert CERTFILE could be passed on the command line, and uv.toml got an option to set the cert file as well.

[samypr100]

Possible dupe of https://github.com/astral-sh/uv/issues/6572

[DetachHead]

does native-tls work for your use case? https://github.com/astral-sh/uv/issues/6572#issuecomment-2594166728

[kohlrabi]

Thanks @DetachHead, I have not tried. I didn't add the cert to the OS store, I just have a file. I will try.

[ReveStobinson]

does native-tls work for your use case? #6572 (comment)

@DetachHead I think there definitely is a use case for a --cert argument and/or environment variable for configuring the certificates. If using self-signed enterprise CA and a locally hosted package store, you may not want to build the certs into the image, instead treating it as a docker secret for security purposes.

This is easily accomplished with pip by passing the cert as a secret (e.g. --mount=type=secret,id=certificate) and then telling pip where the cert is just for that command with --certs /run/secrets/certificate. To make this happen with uv currently requires either a multi-stage build that copies the .venv directory over to a bare image, or several extra commands per RUN command that performs a uv pip install.