api: ignore HTTPS errors if minimum curl version isn't installed

2023-10-04 22:24:57 -04:00 · 2023-10-04 22:24:57 -04:00 · 8646b2cf1f
commit 8646b2cf1f
parent ec5ad356a3
4 changed files with 25 additions and 10 deletions
--- a/Library/Homebrew/api.rb
+++ b/Library/Homebrew/api.rb
@ -54,9 +54,8 @@ module Homebrew
        --speed-time #{ENV.fetch("HOMEBREW_CURL_SPEED_TIME")}
      ]

-      insecure_download = (ENV["HOMEBREW_SYSTEM_CA_CERTIFICATES_TOO_OLD"].present? ||
-                           ENV["HOMEBREW_FORCE_BREWED_CA_CERTIFICATES"].present?) &&
-                          !(HOMEBREW_PREFIX/"etc/ca-certificates/cert.pem").exist?
+      insecure_download = DevelopmentTools.ca_file_substitution_required? ||
+                          DevelopmentTools.curl_substitution_required?
      skip_download = target.exist? &&
                      !target.empty? &&
                      (!Homebrew.auto_update_command? ||
@ -69,9 +68,7 @@ module Homebrew
          args = curl_args.dup
          args.prepend("--time-cond", target.to_s) if target.exist? && !target.empty?
          if insecure_download
-            opoo "Using --insecure with curl to download #{endpoint} " \
-                 "because we need it to run `brew install ca-certificates`. " \
-                 "Checksums will still be verified."
+            opoo DevelopmentTools.insecure_download_warning(endpoint)
            args.append("--insecure")
          end
          unless skip_download
--- a/Library/Homebrew/development_tools.rb
+++ b/Library/Homebrew/development_tools.rb
@ -36,6 +36,14 @@ class DevelopmentTools
      installation_instructions
    end

+    sig { params(resource: String).returns(String) }
+    def insecure_download_warning(resource)
+      package = curl_handles_most_https_certificates? ? "ca-certificates" : "curl"
+      "Using `--insecure` with curl to download #{resource} because we need it to run " \
+        "`brew install #{package}` in order to download securely from now on. " \
+        "Checksums will still be verified."
+    end
+
    sig { returns(Symbol) }
    def default_compiler
      :clang
@ -123,6 +131,17 @@ class DevelopmentTools
      true
    end

+    sig { returns(T::Boolean) }
+    def ca_file_substitution_required?
+      (!ca_file_handles_most_https_certificates? || ENV["HOMEBREW_FORCE_BREWED_CA_CERTIFICATES"].present?) &&
+        !(HOMEBREW_PREFIX/"etc/ca-certificates/cert.pem").exist?
+    end
+
+    sig { returns(T::Boolean) }
+    def curl_substitution_required?
+      !curl_handles_most_https_certificates? && !HOMEBREW_BREWED_CURL_PATH.exist?
+    end
+
    sig { returns(T::Boolean) }
    def subversion_handles_most_https_certificates?
      true
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@ -577,9 +577,7 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy

    if meta[:insecure]
      unless @insecure_warning_shown
-        opoo "Using --insecure with curl to download `ca-certificates` " \
-             "because we need it installed to download securely from now on. " \
-             "Checksums will still be verified."
+        opoo DevelopmentTools.insecure_download_warning("an updated certificates file")
        @insecure_warning_shown = true
      end
      args += ["--insecure"]
--- a/Library/Homebrew/resource.rb
+++ b/Library/Homebrew/resource.rb
@ -56,7 +56,8 @@ class Resource < Downloadable
    return if !owner.respond_to?(:full_name) || owner.full_name != "ca-certificates"
    return if Homebrew::EnvConfig.no_insecure_redirect?

-    @insecure = !specs[:bottle] && !DevelopmentTools.ca_file_handles_most_https_certificates?
+    @insecure = !specs[:bottle] && (DevelopmentTools.ca_file_substitution_required? ||
+                                    DevelopmentTools.curl_substitution_required?)
    return if @url.nil?

    specs = if @insecure