pub fn native_roots() -> Result<Arc<RootCertStore>, NativeRootsError>Expand description
Return the cached system trust store, loading it on first call.
Concurrent first calls are serialised by the OnceLock barrier,
so the OS keychain sees exactly one load attempt per process even
under reload pressure that builds many fingerprints in parallel.
Subsequent calls are lock-free: they read the current snapshot
through ArcSwap and clone the inner Arc<RootCertStore>.
ยงErrors
Surfaces the most recently observed load outcome. A failed first
load remains sticky until refresh_native_roots succeeds.