From 8646b2cf1f7e145549778683f4660082ccd26672 Mon Sep 17 00:00:00 2001 From: Eric Knibbe Date: Wed, 4 Oct 2023 22:24:57 -0400 Subject: [PATCH] api: ignore HTTPS errors if minimum curl version isn't installed --- Library/Homebrew/api.rb | 9 +++------ Library/Homebrew/development_tools.rb | 19 +++++++++++++++++++ Library/Homebrew/download_strategy.rb | 4 +--- Library/Homebrew/resource.rb | 3 ++- 4 files changed, 25 insertions(+), 10 deletions(-) diff --git a/Library/Homebrew/api.rb b/Library/Homebrew/api.rb index 0eed2e0809..db13468e4f 100644 --- a/Library/Homebrew/api.rb +++ b/Library/Homebrew/api.rb @@ -54,9 +54,8 @@ module Homebrew --speed-time #{ENV.fetch("HOMEBREW_CURL_SPEED_TIME")} ] - insecure_download = (ENV["HOMEBREW_SYSTEM_CA_CERTIFICATES_TOO_OLD"].present? || - ENV["HOMEBREW_FORCE_BREWED_CA_CERTIFICATES"].present?) && - !(HOMEBREW_PREFIX/"etc/ca-certificates/cert.pem").exist? + insecure_download = DevelopmentTools.ca_file_substitution_required? || + DevelopmentTools.curl_substitution_required? skip_download = target.exist? && !target.empty? && (!Homebrew.auto_update_command? || @@ -69,9 +68,7 @@ module Homebrew args = curl_args.dup args.prepend("--time-cond", target.to_s) if target.exist? && !target.empty? if insecure_download - opoo "Using --insecure with curl to download #{endpoint} " \ - "because we need it to run `brew install ca-certificates`. " \ - "Checksums will still be verified." + opoo DevelopmentTools.insecure_download_warning(endpoint) args.append("--insecure") end unless skip_download diff --git a/Library/Homebrew/development_tools.rb b/Library/Homebrew/development_tools.rb index 90254d2715..e51496d597 100644 --- a/Library/Homebrew/development_tools.rb +++ b/Library/Homebrew/development_tools.rb @@ -36,6 +36,14 @@ class DevelopmentTools installation_instructions end + sig { params(resource: String).returns(String) } + def insecure_download_warning(resource) + package = curl_handles_most_https_certificates? ? "ca-certificates" : "curl" + "Using `--insecure` with curl to download #{resource} because we need it to run " \ + "`brew install #{package}` in order to download securely from now on. " \ + "Checksums will still be verified." + end + sig { returns(Symbol) } def default_compiler :clang @@ -123,6 +131,17 @@ class DevelopmentTools true end + sig { returns(T::Boolean) } + def ca_file_substitution_required? + (!ca_file_handles_most_https_certificates? || ENV["HOMEBREW_FORCE_BREWED_CA_CERTIFICATES"].present?) && + !(HOMEBREW_PREFIX/"etc/ca-certificates/cert.pem").exist? + end + + sig { returns(T::Boolean) } + def curl_substitution_required? + !curl_handles_most_https_certificates? && !HOMEBREW_BREWED_CURL_PATH.exist? + end + sig { returns(T::Boolean) } def subversion_handles_most_https_certificates? true diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb index dab1de1465..d23dd2e98b 100644 --- a/Library/Homebrew/download_strategy.rb +++ b/Library/Homebrew/download_strategy.rb @@ -577,9 +577,7 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy if meta[:insecure] unless @insecure_warning_shown - opoo "Using --insecure with curl to download `ca-certificates` " \ - "because we need it installed to download securely from now on. " \ - "Checksums will still be verified." + opoo DevelopmentTools.insecure_download_warning("an updated certificates file") @insecure_warning_shown = true end args += ["--insecure"] diff --git a/Library/Homebrew/resource.rb b/Library/Homebrew/resource.rb index 013565b5ed..07731fefbe 100644 --- a/Library/Homebrew/resource.rb +++ b/Library/Homebrew/resource.rb @@ -56,7 +56,8 @@ class Resource < Downloadable return if !owner.respond_to?(:full_name) || owner.full_name != "ca-certificates" return if Homebrew::EnvConfig.no_insecure_redirect? - @insecure = !specs[:bottle] && !DevelopmentTools.ca_file_handles_most_https_certificates? + @insecure = !specs[:bottle] && (DevelopmentTools.ca_file_substitution_required? || + DevelopmentTools.curl_substitution_required?) return if @url.nil? specs = if @insecure