bazelbuild/bazel

Bazel downloader should support `--tls_client_certificate` and `--tls_client_key`

Open

#26733 opened on Aug 9, 2025

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Java (25,384 stars) (4,465 forks)batch import
P2help wantedteam-ExternalDepstype: feature request

Description

Description of the feature request:

The command line options --tls_client_certificate and --tls_client_key currently only work with Bazel remote cache and remote execution. They should also be supported by Bazel downloader to authenticate with a protected server.

The discussion https://github.com/bazelbuild/bazel/discussions/19560 discusses a workaround modifying the Bazel JVM and providing a special keystore. However, that's tedious and should be unnecessary given that the command line options already exist.

Which category does this issue belong to?

No response

What underlying problem are you trying to solve with this feature?

mTLS authentication to a protected server for all Bazel downloads/fetches

Which operating system are you running Bazel on?

No response

What is the output of bazel info release?

No response

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse HEAD ?

Have you found anything relevant by searching the web?

No response

Any other information, logs, or outputs that you want to share?

No response

Contributor guide

Tech stack
java
Domain
backendbuild systemsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Bazel build system basicsJavaTLS/mTLS concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate how Bazel handles TLS client certificates for remote caching and execution (e.g., in RemoteOptions.java) and extend that support to the downloader module. Look at the Downloader class and the existing command line options. Also review the linked discussion at gh 19560 for context.