Omly pass --cert when using known registry

test/e2e/pip.e2e.spec.js

@@ -262,4 +262,29 @@ describe("E2E: pip coverage", () => {
     );
   });
 
+  it(`pip3 can install from alternate PyPI mirror (tunneled, not MITM)`, async () => {
+    const shell = await container.openShell("zsh");
+    // Use Tsinghua PyPI mirror which is NOT in knownPipRegistries
+    // This tests tunneled HTTPS with --cert containing only Safe Chain CA
+    // If the CA bundle doesn't include public roots, this will fail with CERTIFICATE_VERIFY_FAILED
+    const result = await shell.runCommand('pip3 install --break-system-packages --index-url https://pypi.tuna.tsinghua.edu.cn/simple certifi');
+
+    assert.ok(
+      result.output.includes("no malicious packages found."),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+
+    // Should succeed if CA bundle properly handles tunneled hosts
+    assert.ok(
+      result.output.includes("Successfully installed") || result.output.includes("Requirement already satisfied"),
+      `Installation from PyPI mirror failed. This may indicate --cert CA bundle lacks public roots. Output was:\n${result.output}`
+    );
+
+    // Should NOT contain certificate verification errors
+    assert.ok(
+      !result.output.match(/SSL|certificate verify failed|CERTIFICATE_VERIFY_FAILED/i),
+      `Should not have SSL/certificate errors for tunneled hosts. Output was:\n${result.output}`
+    );
+  });
+
 });