Fix systemcheck reporting all checks passed when CA is not trusted

checkCA only verified CA file existence, not system trust. After a new
install where the user skips CA installation, first-run said "Setup
incomplete" but systemcheck immediately said "All checks passed".

Author: ThomasLohner

CHANGELOG.md

@@ -1,3 +1,9 @@
+## v0.5.3
+
+### Bug Fixes
+
+- **Fix systemcheck reporting "All checks passed" when CA is not trusted** - `checkCA` only checked whether CA files exist, not whether the CA is trusted by the system. On a new install where the user skips CA installation, first-run would say "Setup incomplete" but systemcheck would say "All checks passed!" immediately after. Now systemcheck verifies trust status and reports "not trusted by system" with instructions to fix.
+
 ## v0.5.2
 
 ### Bug Fixes

cmd/systemcheck.go

@@ -195,7 +195,7 @@ func runSystemcheck(cmd *cobra.Command, args []string) error {
 
 	// Check local CA (only if mkcert is available)
 	if mkcertPath != "" {
-		issues += checkCA(ctx, mkcertPath)
+		issues += checkCA(ctx, mkcertPath, globalCfg)
 	}
 
 	// Check certificates
@@ -291,7 +291,7 @@ func checkMkcert(ctx context.Context, cfg *config.GlobalConfig) (string, int) {
 	return "", 1
 }
 
-func checkCA(ctx context.Context, mkcertPath string) int {
+func checkCA(ctx context.Context, mkcertPath string, cfg *config.GlobalConfig) int {
 	fmt.Print("Local CA:      ")
 
 	mkcert := tools.NewMkcert(mkcertPath)
@@ -314,6 +314,17 @@ func checkCA(ctx context.Context, mkcertPath string) int {
 		return 1
 	}
 
+	// CA files exist - also check if trusted by the system
+	certPath := filepath.Join(config.GetCertsDir(), ssl.CertFileName)
+	if _, err := os.Stat(certPath); err == nil {
+		trusted, err := mkcert.IsCATrusted(ctx, certPath)
+		if err == nil && !trusted {
+			fmt.Printf("%s (%s - not trusted by system)\n", statusText("MISSING"), caRoot)
+			fmt.Println("               Run 'scdev systemcheck --install-ca' to install")
+			return 1
+		}
+	}
+
 	fmt.Printf("%s (%s)\n", statusText("OK"), caRoot)
 	return 0
 }

internal/firstrun/firstrun.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"runtime"
 
 	"github.com/ScaleCommerce-DEV/scdev/internal/config"
 	"github.com/ScaleCommerce-DEV/scdev/internal/ssl"
@@ -126,7 +125,7 @@ func (m *Manager) RunSetup(ctx context.Context) (bool, error) {
 	// Step 4: Verify CA is trusted (by checking if cert is valid)
 	fmt.Println("[4/4] Verifying CA trust...")
 	if certPath != "" {
-		trusted, err := m.verifyCertTrust(ctx, certPath)
+		trusted, err := m.verifyCertTrust(ctx, mkcertPath, certPath)
 		if err != nil {
 			fmt.Printf("      Warning: could not verify trust: %v\n", err)
 		} else if trusted {
@@ -169,7 +168,7 @@ func (m *Manager) RunSetup(ctx context.Context) (bool, error) {
 			}
 
 			// Re-verify that CA is now trusted
-			trustedNow, err := m.verifyCertTrust(ctx, certPath)
+			trustedNow, err := m.verifyCertTrust(ctx, mkcertPath, certPath)
 			if err != nil || !trustedNow {
 				fmt.Println("      CA installation completed but verification still fails.")
 				fmt.Println("      You may need to restart your browser or system.")
@@ -266,23 +265,7 @@ func (m *Manager) ensureCertsWithPath(ctx context.Context, mkcertPath string) (b
 
 // verifyCertTrust checks if the certificate is trusted by the system
 // Returns (trusted, error)
-func (m *Manager) verifyCertTrust(ctx context.Context, certPath string) (bool, error) {
-	if runtime.GOOS == "darwin" {
-		// On macOS, use security verify-cert
-		_, err := tools.RunTool(ctx, "security", "verify-cert", "-c", certPath)
-		if err != nil {
-			// Verification failed - CA not trusted
-			return false, nil
-		}
-		return true, nil
-	}
-
-	// On Linux, use openssl verify against system trust store
-	// This will fail if the mkcert CA is not installed in the system
-	_, err := tools.RunTool(ctx, "openssl", "verify", certPath)
-	if err != nil {
-		// Verification failed - CA not in system trust store
-		return false, nil
-	}
-	return true, nil
+func (m *Manager) verifyCertTrust(ctx context.Context, mkcertPath, certPath string) (bool, error) {
+	mkcert := tools.NewMkcert(mkcertPath)
+	return mkcert.IsCATrusted(ctx, certPath)
 }

internal/tools/mkcert.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 
 	"github.com/ScaleCommerce-DEV/scdev/internal/config"
 )
@@ -101,6 +102,25 @@ func (m *Mkcert) GenerateCert(ctx context.Context, certPath, keyPath string, dom
 	return nil
 }
 
+// IsCATrusted checks if the mkcert CA is trusted by the system.
+// It does this by verifying the certificate at certPath against the system trust store.
+func (m *Mkcert) IsCATrusted(ctx context.Context, certPath string) (bool, error) {
+	if runtime.GOOS == "darwin" {
+		_, err := RunTool(ctx, "security", "verify-cert", "-c", certPath)
+		if err != nil {
+			return false, nil
+		}
+		return true, nil
+	}
+
+	// On Linux, use openssl verify against system trust store
+	_, err := RunTool(ctx, "openssl", "verify", certPath)
+	if err != nil {
+		return false, nil
+	}
+	return true, nil
+}
+
 // Version returns the mkcert version
 func (m *Mkcert) Version(ctx context.Context) (string, error) {
 	output, err := RunTool(ctx, m.binaryPath, "-version")