From cc94794381c15937b8a11aa0e3de89852afcff5d Mon Sep 17 00:00:00 2001
From: dengbinbox <denbinbox@gmail.com>
Date: Mon, 26 Jan 2026 11:59:59 +0800
Subject: [PATCH] feat: Add an option to skip TLS certificate verification.

---
 crates/oci-core/src/core/client.rs | 10 +++++++++-
 src/main.rs                        |  9 ++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/crates/oci-core/src/core/client.rs b/crates/oci-core/src/core/client.rs
index 6824da2..04c7880 100644
--- a/crates/oci-core/src/core/client.rs
+++ b/crates/oci-core/src/core/client.rs
@@ -25,6 +25,7 @@ const MAX_BLOB_RETRIES: usize = 2;
 #[derive(Clone, Default)]
 pub struct ClientConfig {
     pub user_agent: Option<String>,
+    pub insecure_skip_tls_verify: bool,
 }
 
 fn env_flag(name: &str) -> bool {
@@ -72,12 +73,19 @@ pub struct Client {
 
 impl Client {
     pub fn new(config: ClientConfig) -> Self {
-        let builder = reqwest::Client::builder().user_agent(
+        let mut builder = reqwest::Client::builder().user_agent(
             config
                 .user_agent
                 .clone()
                 .unwrap_or_else(|| "docker-image-pusher/0.0".to_string()),
         );
+        
+        // 如果配置了跳过 TLS 验证，则禁用证书验证
+        if config.insecure_skip_tls_verify {
+            eprintln!("[TLS] ⚠️  Warning: TLS certificate verification is disabled.（insecure mode）");
+            builder = builder.danger_accept_invalid_certs(true);
+        }
+        
         let http = builder.build().expect("Failed to build client");
         Self {
             http,
diff --git a/src/main.rs b/src/main.rs
index dee8931..6d8e6ab 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -28,6 +28,10 @@ pub const GZIP_MAGIC_BYTES: [u8; 2] = [0x1F, 0x8B];
     about = "Stream large Docker/OCI images through a tiny local cache"
 )]
 struct Cli {
+    /// Skip TLS certificate verification (for self-signed certificates)
+    #[arg(long, global = true)]
+    insecure: bool,
+    
     #[command(subcommand)]
     command: Commands,
 }
@@ -140,7 +144,10 @@ impl PusherError {
 #[tokio::main]
 async fn main() -> Result<(), PusherError> {
     let cli = Cli::parse();
-    let client = Client::new(ClientConfig::default());
+    let client = Client::new(ClientConfig {
+        user_agent: None,
+        insecure_skip_tls_verify: cli.insecure,
+    });
 
     match cli.command {
         Commands::Push {