gitarcode · kayagokalp · Jan 25, 2026 · Jan 25, 2026
diff --git a/.changes/feat-bundler-platform-certs.md b/.changes/feat-bundler-platform-certs.md
@@ -0,0 +1,7 @@
+---
+"tauri-bundler": "minor:enhance"
+"tauri-cli": "minor:enhance"
+"@tauri-apps/cli": "minor:enhance"
+---
+
+The bundler and cli will now read TLS Certificates installed on the system when downloading tools and checking versions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/tauri-bundler/Cargo.toml b/crates/tauri-bundler/Cargo.toml
@@ -74,7 +74,8 @@ name = "tauri_bundler"
 path = "src/lib.rs"
 
 [features]
-default = ["rustls"]
+default = ["rustls", "platform-certs"]
 native-tls = ["ureq/native-tls"]
 native-tls-vendored = ["native-tls", "native-tls/vendored"]
 rustls = ["ureq/rustls"]
+platform-certs = ["ureq/platform-verifier"]
diff --git a/crates/tauri-bundler/src/bundle/windows/util.rs b/crates/tauri-bundler/src/bundle/windows/util.rs
@@ -4,11 +4,12 @@
 
 use std::{
   fs::create_dir_all,
+  io::Read,
   path::{Path, PathBuf},
 };
 use ureq::ResponseExt;
 
-use crate::utils::http_utils::download;
+use crate::utils::http_utils::{base_ureq_agent, download};
 
 pub const WEBVIEW2_BOOTSTRAPPER_URL: &str = "https://go.microsoft.com/fwlink/p/?LinkId=2124703";
 pub const WEBVIEW2_OFFLINE_INSTALLER_X86_URL: &str =
@@ -23,10 +24,7 @@ pub const WIX_OUTPUT_FOLDER_NAME: &str = "msi";
 pub const WIX_UPDATER_OUTPUT_FOLDER_NAME: &str = "msi-updater";
 
 pub fn webview2_guid_path(url: &str) -> crate::Result<(String, String)> {
-  let agent: ureq::Agent = ureq::Agent::config_builder()
-    .proxy(ureq::Proxy::try_from_env())
-    .build()
-    .into();
+  let agent = base_ureq_agent();
   let response = agent.head(url).call().map_err(Box::new)?;
   let final_url = response.get_uri().to_string();
   let remaining_url = final_url.strip_prefix(WEBVIEW2_URL_PREFIX).ok_or_else(|| {
@@ -64,7 +62,10 @@ pub fn download_webview2_offline_installer(base_path: &Path, arch: &str) -> crat
   let file_path = dir_path.join(filename);
   if !file_path.exists() {
     create_dir_all(dir_path)?;
-    std::fs::write(&file_path, download(url)?)?;
+    let response = ureq::get(url).call().map_err(Box::new)?;
+    let mut bytes = Vec::new();
+    response.into_body().into_reader().read_to_end(&mut bytes)?;
+    std::fs::write(&file_path, bytes)?;
   }
   Ok(file_path)
 }

diff --git a/crates/tauri-bundler/src/utils/http_utils.rs b/crates/tauri-bundler/src/utils/http_utils.rs
@@ -34,8 +34,7 @@ fn generate_github_mirror_url_from_base(github_url: &str) -> Option<String> {
   std::env::var("TAURI_BUNDLER_TOOLS_GITHUB_MIRROR")
     .ok()
     .and_then(|cdn| Url::parse(&cdn).ok())
-    .map(|mut cdn| {
-      cdn.set_path(github_url);
+    .map(|cdn| {
       cdn.to_string()
     })
 }
@@ -51,13 +50,26 @@ fn generate_github_alternative_url(url: &str) -> Option<(ureq::Agent, String)> {
 }
 
 fn create_agent_and_url(url: &str) -> (ureq::Agent, String) {
-  generate_github_alternative_url(url).unwrap_or((
-    ureq::Agent::config_builder()
-      .proxy(ureq::Proxy::try_from_env())
-      .build()
-      .into(),
-    url.to_owned(),
-  ))
+  generate_github_alternative_url(url).unwrap_or((base_ureq_agent(), url.to_owned()))
+}
+
+pub(crate) fn base_ureq_agent() -> ureq::Agent {
+  #[cfg(feature = "platform-certs")]
+  let agent: ureq::Agent = ureq::Agent::config_builder()
+    .tls_config(
+      ureq::tls::TlsConfig::builder()
+        .root_certs(ureq::tls::RootCerts::PlatformVerifier)
+        .build(),
+    )
+    .proxy(ureq::Proxy::try_from_env())
+    .build()
+    .into();
+  #[cfg(not(feature = "platform-certs"))]
+  let agent: ureq::Agent = ureq::Agent::config_builder()
+    .proxy(ureq::Proxy::try_from_env())
+    .build()
+    .into();
+  return agent;
 }
 
 #[allow(dead_code)]

diff --git a/crates/tauri-cli/Cargo.toml b/crates/tauri-cli/Cargo.toml
@@ -138,11 +138,12 @@ object = { version = "0.36", default-features = false, features = [
 ar = "0.9"
 
 [features]
-default = ["rustls"]
+default = ["rustls", "platform-certs"]
 native-tls = [
   "tauri-bundler/native-tls",
   "cargo-mobile2/native-tls",
   "ureq/native-tls",
 ]
 native-tls-vendored = ["native-tls", "tauri-bundler/native-tls-vendored"]
 rustls = ["tauri-bundler/rustls", "cargo-mobile2/rustls", "ureq/rustls"]
+platform-certs = ["tauri-bundler/platform-certs", "ureq/platform-verifier"]
diff --git a/crates/tauri-cli/src/helpers/cargo_manifest.rs b/crates/tauri-cli/src/helpers/cargo_manifest.rs
@@ -117,6 +117,19 @@ struct CrateIoGetResponse {
 pub fn crate_latest_version(name: &str) -> Option<String> {
   // Reference: https://github.com/rust-lang/crates.io/blob/98c83c8231cbcd15d6b8f06d80a00ad462f71585/src/controllers/krate/metadata.rs#L88
   let url = format!("https://crates.io/api/v1/crates/{name}?include");
+  #[cfg(feature = "platform-certs")]
+  let mut response = {
+    let agent = ureq::Agent::config_builder()
+      .tls_config(
+        ureq::tls::TlsConfig::builder()
+          .root_certs(ureq::tls::RootCerts::PlatformVerifier)
+          .build(),
+      )
+      .build()
+      .new_agent();
+    agent.get(&url).call().ok()?
+  };
+  #[cfg(not(feature = "platform-certs"))]
   let mut response = ureq::get(&url).call().ok()?;
   let metadata: CrateIoGetResponse =
     serde_json::from_reader(response.body_mut().as_reader()).unwrap();
@@ -178,7 +191,7 @@ pub fn crate_version(
       }
     }
 
-    if lock.is_some() && crate_lock_packages.is_empty() {
+    if lock.is_some() && !crate_lock_packages.is_empty() {
       let lock_version = crate_lock_packages
         .iter()
         .map(|p| p.version.clone())