From 7f54793c49c19fc49aea812ab1d8e0a0f8a68f0a Mon Sep 17 00:00:00 2001
From: Bo Anderson <mail@boanderson.me>
Date: Wed, 20 Oct 2021 15:51:58 +0100
Subject: [PATCH 1/2] shims/shared/curl: pass both --cafile and --capath to
 override defaults

---
 Library/Homebrew/shims/shared/curl | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/Library/Homebrew/shims/shared/curl b/Library/Homebrew/shims/shared/curl
index f163423579..cab048b624 100755
--- a/Library/Homebrew/shims/shared/curl
+++ b/Library/Homebrew/shims/shared/curl
@@ -13,6 +13,25 @@ fi
 
 source "${HOMEBREW_LIBRARY}/Homebrew/shims/utils.sh"
 
+# SSL_CERT_FILE alone does not clear the CAPath setting.
+set_certs=0
+if [[ -n "${SSL_CERT_FILE}" ]]
+then
+  set_certs=1
+  for arg in "$@"
+  do
+    if [[ "${arg}" =~ --ca(cert|path) ]]
+    then
+      # User passed their own settings - don't use ours!
+      set_certs=0
+    fi
+  done
+fi
+if [[ ${set_certs} -eq 1 ]]
+then
+  set -- "--cacert" "${SSL_CERT_FILE}" "--capath" "$(dirname "${SSL_CERT_FILE}")" "$@"
+fi
+
 try_exec_non_system "${HOMEBREW_CURL:-curl}" "$@"
 safe_exec "/usr/bin/curl" "$@"
 

From 865c31a166ce4e028311bb5d27368d9064f0436b Mon Sep 17 00:00:00 2001
From: Bo Anderson <mail@boanderson.me>
Date: Wed, 20 Oct 2021 15:52:17 +0100
Subject: [PATCH 2/2] Set GIT_SSL_CAPATH to override default

---
 Library/Homebrew/brew.sh              | 1 +
 Library/Homebrew/formula_installer.rb | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Library/Homebrew/brew.sh b/Library/Homebrew/brew.sh
index 1882894732..5d011b3210 100644
--- a/Library/Homebrew/brew.sh
+++ b/Library/Homebrew/brew.sh
@@ -573,6 +573,7 @@ setup_ca_certificates() {
   then
     export SSL_CERT_FILE="${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem"
     export GIT_SSL_CAINFO="${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem"
+    export GIT_SSL_CAPATH="${HOMEBREW_PREFIX}/etc/ca-certificates"
   fi
 }
 setup_ca_certificates
diff --git a/Library/Homebrew/formula_installer.rb b/Library/Homebrew/formula_installer.rb
index 0fbee44fca..98e8b86834 100644
--- a/Library/Homebrew/formula_installer.rb
+++ b/Library/Homebrew/formula_installer.rb
@@ -800,6 +800,7 @@ class FormulaInstaller
     if formula.name == "ca-certificates" &&
        !DevelopmentTools.ca_file_handles_most_https_certificates?
       ENV["SSL_CERT_FILE"] = ENV["GIT_SSL_CAINFO"] = formula.pkgetc/"cert.pem"
+      ENV["GIT_SSL_CAPATH"] = formula.pkgetc
     end
 
     # use installed curl when it's needed and available