fix(tls): macOS 15+ 安装 CA 证书无需管理员权限

DASungta · claude · DASungta · commit 56528f7595f6 · 2026-04-17T12:06:14.000+08:00
移除 -d 和 -k /Library/Keychains/System.keychain 参数，
改为写入用户登录 Keychain，避免 macOS 15+ 的
SecTrustSettingsSetTrustSettings 授权报错。

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/internal/tls/ca.go b/internal/tls/ca.go
@@ -159,8 +159,13 @@ func NeedsRegeneration(dir string, domain string) bool {
 func InstallCA(caCertPath string) error {
 	switch runtime.GOOS {
 	case "darwin":
-		return elevatedExec("security", "add-trusted-cert", "-d", "-r", "trustRoot",
-			"-k", "/Library/Keychains/System.keychain", caCertPath)
+		// Install into the user login keychain — no admin privileges required.
+		// Omitting -d and -k /Library/Keychains/System.keychain avoids the
+		// SecTrustSettingsSetTrustSettings authorization error on macOS 15+.
+		cmd := exec.Command("security", "add-trusted-cert", "-r", "trustRoot", caCertPath)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
 	case "linux":
 		dest := "/usr/local/share/ca-certificates/trae-proxy.crt"
 		if err := elevatedExec("cp", caCertPath, dest); err != nil {
@@ -177,7 +182,10 @@ func InstallCA(caCertPath string) error {
 func UninstallCA(caCertPath string) error {
 	switch runtime.GOOS {
 	case "darwin":
-		return elevatedExec("security", "remove-trusted-cert", "-d", caCertPath)
+		cmd := exec.Command("security", "remove-trusted-cert", caCertPath)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
 	case "linux":
 		elevatedExec("rm", "-f", "/usr/local/share/ca-certificates/trae-proxy.crt")
 		return elevatedExec("update-ca-certificates", "--fresh")
