Go programs fail TLS verification through built-in proxy on macOS Tahoe (x509: OSStatus -26276)
Description
Go-based CLI tools (gh, flyctl, and likely all Go programs) fail with TLS certificate verification errors when their traffic is routed through Claude Code's built-in network proxy on macOS Tahoe (26.x).
The proxy itself works correctly — curl succeeds through it, and the proxy is not performing TLS interception (real upstream certs are visible). The issue is specific to Go's crypto/x509 package, which on macOS uses Security.framework for certificate verification and returns OSStatus -26276 (errSecNotTrusted) when connecting through the CONNECT-style HTTP proxy.
Error
tls: failed to verify certificate: x509: OSStatus -26276
Steps to Reproduce
- Run Claude Code on macOS Tahoe (26.x)
- From within a Claude Code session, run any Go-based CLI tool that makes HTTPS requests:
````
gh api user
# or
flyctl apps list
- Both fail with the
x509: OSStatus -26276error
Expected Behavior
Go programs should be able to verify TLS certificates when connecting through Claude Code's built-in proxy, just as curl can.
Workaround
Run gh/flyctl in a separate terminal outside of Claude Code, where the proxy env vars are not set.
Environment
| Component | Version |
|-----------|---------|
| Claude Code | 2.1.207 |
| macOS | 26.5 (Tahoe), Build 25F71 |
| Architecture | arm64 (Apple Silicon) |
| gh | 2.93.0 (compiled with Go 1.26.3) |
| flyctl | 0.4.69 (compiled with Go 1.26.5) |
Diagnostic Details
- The proxy runs on
localhost:60615(PID is Claude Code itself) - Proxy uses HTTP CONNECT tunneling (not TLS interception) —
curl -vshows real upstream certs (e.g. Sectigo for github.com) curlthrough the proxy returns HTTP 200 successfully- Bypassing the proxy (
HTTPS_PROXY="" gh ...) eliminates the TLS error but hits the sandbox'soperation not permittedon direct connections, confirming the proxy is required SSL_CERT_FILEandGODEBUG=x509usefallbackroots=1have no effect — Go 1.26 on macOS uses Security.framework exclusively- No custom/intercepting CA certificates are installed in the system keychain