Use --insecure to download ca-certificates source where necessary

Library/Homebrew/download_strategy.rb

@@ -544,6 +544,15 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
 
     args += [meta[:header], meta[:headers]].flatten.compact.flat_map { |h| ["--header", h.strip] }
 
+    if meta[:insecure]
+      unless @insecure_warning_shown
+        opoo "Using --insecure with curl to download `ca-certificates` " \
+             "because we need it installed to download securely."
+        @insecure_warning_shown = true
+      end
+      args += ["--insecure"] if meta[:insecure]
+    end
+
     args
   end
 

Library/Homebrew/resource.rb

@@ -42,6 +42,11 @@ class Resource
   def owner=(owner)
     @owner = owner
     patches.each { |p| p.owner = owner }
+
+    return if !owner.respond_to?(:full_name) || owner.full_name != "ca-certificates"
+    return if Homebrew::EnvConfig.no_insecure_redirect?
+
+    @specs[:insecure] = !specs[:bottle] && !DevelopmentTools.ca_file_handles_most_https_certificates?
   end
 
   def downloader
@@ -170,10 +175,14 @@ class Resource
   def url(val = nil, **specs)
     return @url if val.nil?
 
+    specs = specs.dup
+    # Don't allow this to be set.
+    specs.delete(:insecure)
+
     @url = val
-    @specs.merge!(specs)
-    @using = @specs.delete(:using)
+    @using = specs.delete(:using)
     @download_strategy = DownloadStrategyDetector.detect(url, using)
+    @specs.merge!(specs)
     @downloader = nil
   end
 

Library/Homebrew/software_spec.rb

@@ -310,8 +310,8 @@ class Bottle
   def initialize(formula, spec, tag = nil)
     @name = formula.name
     @resource = Resource.new
-    @resource.owner = formula
     @resource.specs[:bottle] = true
+    @resource.owner = formula
     @spec = spec
 
     tag_spec = spec.tag_specification_for(Utils::Bottles.tag(tag))