add --cert for cli

[Tyler-Hardin]

I use mTLS for my self hosted server. Would appreciate if you would include support in mainline. Let me know if you see any changes you'd like. Included changes:

• --cert flag
• env var NTFY_CERT
• client config keys cert-file and cert-password

I went with software.sslmate.com/src/go-pkcs12 for pkcs12/cert parsing because the std lib doesn't support sha2, which is standard now.

Thanks for your work on this. Very neat project!

Full disclosure, I used Claude for this. I'm a dev myself, but little experience in Go. I mostly work in Python and Rust. But I reviewed the changes and they do seem sensible to me.

[binwiederhier]

Thanks for the PR. Happy to support mTLS, but I don't want to add another library for that. I highly doubt that the stdlib is not supporting sha256+512 and such.

[Tyler-Hardin]

golang/go#22163

Seems like they stopped developing the main lib almost a decade ago.

Grok confirms: https://grok.com/share/bGVnYWN5LWNvcHk_08dce699-f933-483f-83f3-2d2f230d7408

[Tyler-Hardin]

From the lib I used:

This package is forked from golang.org/x/crypto/pkcs12, which is frozen

https://github.com/SSLMate/go-pkcs12

[binwiederhier]

Don't believe Grok ;-) Friends don't let friends use Grok.

Here's a version from ChatGPT using the stdlib, prompted on my phone:
https://chatgpt.com/share/69a62512-2c84-800d-be5a-75516a4eee58

I have personally used mTLS in Go using just the stdlib. SHA-256 + SHA-512 are standards. Of course Go supports that.

[Tyler-Hardin]

Isn't that a bit of a downgrade? p12 is the standard for mTLS because it encapsulates everything in one file and can be password protected. That's 3 flags/config lines and no password protection possible (PEM is plaintext).

Ask gpt what the standard way to import a p12 is in Go. I quit using it due to the Dept of War deal.