Merge pull request #12275 from Bo98/curl-capath

shims/shared/curl: pass both `--cafile` and `--capath` to override default

Library/Homebrew/brew.sh

@@ -551,6 +551,7 @@ setup_ca_certificates() {
   then
     export SSL_CERT_FILE="${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem"
     export GIT_SSL_CAINFO="${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem"
+    export GIT_SSL_CAPATH="${HOMEBREW_PREFIX}/etc/ca-certificates"
   fi
 }
 setup_ca_certificates

Library/Homebrew/formula_installer.rb

@@ -802,6 +802,7 @@ class FormulaInstaller
     if formula.name == "ca-certificates" &&
        !DevelopmentTools.ca_file_handles_most_https_certificates?
       ENV["SSL_CERT_FILE"] = ENV["GIT_SSL_CAINFO"] = formula.pkgetc/"cert.pem"
+      ENV["GIT_SSL_CAPATH"] = formula.pkgetc
     end
 
     # use installed curl when it's needed and available

Library/Homebrew/shims/shared/curl

@@ -13,6 +13,25 @@ fi
 
 source "${HOMEBREW_LIBRARY}/Homebrew/shims/utils.sh"
 
+# SSL_CERT_FILE alone does not clear the CAPath setting.
+set_certs=0
+if [[ -n "${SSL_CERT_FILE}" ]]
+then
+  set_certs=1
+  for arg in "$@"
+  do
+    if [[ "${arg}" =~ --ca(cert|path) ]]
+    then
+      # User passed their own settings - don't use ours!
+      set_certs=0
+    fi
+  done
+fi
+if [[ ${set_certs} -eq 1 ]]
+then
+  set -- "--cacert" "${SSL_CERT_FILE}" "--capath" "$(dirname "${SSL_CERT_FILE}")" "$@"
+fi
+
 try_exec_non_system "${HOMEBREW_CURL:-curl}" "$@"
 safe_exec "/usr/bin/curl" "$@"