task icon indicating copy to clipboard operation
task copied to clipboard
verified publisher icon go-task

Support self-signed certificates for remote taskfiles

Open pd93 opened this issue 7 months ago • 4 comments

Description

As reported in https://github.com/go-task/task/issues/1317#issuecomment-2848743078, Task cannot currently access remote taskfiles using self-signed certificates. We have the --insecure flag which allows you to access files over HTTP (no-tls), but no flag for skipping TLS verification over HTTPS or for specifying paths to a custom key/cert.

Here are some examples of equivalent flags in other popular CLI tools:

curl wget httpie task
Allow connections over HTTP allowed by default allowed by default allowed by default --insecure
No cert verification over HTTPS --insecure/-k --no-check-certificate --verify=no -
Custom CA cert path --cacert --ca-certificate --verify=<path> -
Custom cert path --cert/-E --certificate --cert -
Custom key path --key --private-key --cert-key -
Custom cert passphrase --pass * - --cert-key-pass -

* curl also allows you to specify a passphrase by --cert/-E <certificate[:password]>

Proposal

Since we already have the --insecure flag, I don't see the harm in reusing this to disable TLS verification for HTTPS requests. This keeps us consistent with cURL and means we don't have two flags that do similar things reducing confusion.

For custom certs, I propose we add the following flags:

  • --cacert for specifying a custom CA cert path
  • --cert for specifying a custom cert path
  • --cert-key for specifying a custom key path
  • --cert-key-pass for specifying a custom cert passphrase

This is a mix between the flags in cURL and HTTPie. I think the namespacing for the cert flags is important as it leaves scope to create other flags with similar names in the future (e.g. if something else might need a password). However, I think the --insecure and --cacert flags are more familiar (at least to me) and more intuitive than HTTPie's multiuse --verify.

cURL does have a bit of syntactic sugar in that you can specify the passphrase inside the --cert flag and it will also detect the key/cert in the same file. But this seems unnecessary for a first implementation.

pd93 avatar May 06 '25 08:05 pd93

As a windows user, one thing extremly important to me would be, that the standard windows certificate store is used (ideally by default).

As far as I know this should be the case in Go, but can be disabled as soon as custom CA settings are defined.

pfeigl avatar Jun 27 '25 08:06 pfeigl

@pd93, do you work on that? I would love to have this implemented, mostly the --insecure part. May I offer my help and create a PR for that?

maciej-lech avatar Dec 08 '25 10:12 maciej-lech

Hello @maciej-lech I've already opened a PR https://github.com/go-task/task/pull/2537

vmaerten avatar Dec 08 '25 17:12 vmaerten

@vmaerten great to hear. I'm looking forward to have it released

maciej-lech avatar Dec 08 '25 17:12 maciej-lech