[PR #1198] [MERGED] Fixed fallback certificates not working in certain classloader setups #937

New Issue

adam · 2025-12-30T01:27:51+01:00

adam commented

2025-12-30 01:27:51 +01:00

📋 Pull Request Information

Original PR: https://github.com/apple/pkl/pull/1198
Author: @netvl
Created: 9/4/2025
Status: ✅ Merged
Merged: 9/5/2025
Merged by: @bioball

Base: main ← Head: ca-classloading-fix

📝 Commits (1)

e35c104 Fixed fallback certificates not working in certain classloader setups

📊 Changes

1 file changed (+3 additions, -2 deletions)

View changed files

📝 pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliCommand.kt (+3 -2)

📄 Description

In the original implementation the org/pkl/commons/cli/PklCARoots.pem resource is resolved relatively to the classloader associated with the class returned by javaClass. However, since this is an extension method for HttpClient.Builder, it means calling javaClass on the builder instance, which is actually defined in the system classpath.

Because of this, if the Pkl class is loaded by a different classloader compared to the one which contains JDK classes, which is totally possible in certain scenarios (e.g. with Gradle), then this resource resolution will fail.

The solution is to resolve javaClass against this@CliCommand, to use the classloader which loaded the jar with the CliCommand class to find the CA resource.

Closes https://github.com/apple/pkl/issues/1199

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/apple/pkl/pull/1198 **Author:** [@netvl](https://github.com/netvl) **Created:** 9/4/2025 **Status:** ✅ Merged **Merged:** 9/5/2025 **Merged by:** [@bioball](https://github.com/bioball) **Base:** `main` ← **Head:** `ca-classloading-fix` --- ### 📝 Commits (1) - [`e35c104`](https://github.com/apple/pkl/commit/e35c1040b6a6625b6d4637cb31e972a99a8a2da9) Fixed fallback certificates not working in certain classloader setups ### 📊 Changes **1 file changed** (+3 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliCommand.kt` (+3 -2) </details> ### 📄 Description In the original implementation the `org/pkl/commons/cli/PklCARoots.pem` resource is resolved relatively to the classloader associated with the class returned by `javaClass`. However, since this is an extension method for `HttpClient.Builder`, it means calling `javaClass` on the builder instance, which is actually defined in the system classpath. Because of this, if the Pkl class is loaded by a different classloader compared to the one which contains JDK classes, which is totally possible in certain scenarios (e.g. with Gradle), then this resource resolution will fail. The solution is to resolve `javaClass` against `this@CliCommand`, to use the classloader which loaded the jar with the `CliCommand` class to find the CA resource. Closes https://github.com/apple/pkl/issues/1199 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-30 01:27:51 +01:00

adam closed this issue

2025-12-30 01:27:51 +01:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pkl#937