admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #12167 from Bo98/brewed-curl-old-macos

Browse Source 
Install and use Homebrew's `ca-certificates` on macOS <= 10.15.5
This commit is contained in:
Bo Anderson 2021-10-04 05:29:57 +01:00 committed by GitHub
commit ebc0783c5f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 70 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Library/Homebrew/brew.sh
View File

@ -433,6 +433,20 @@ then
printf "\\n" >&2 printf "\\n" >&2
fi fi
# Versions before Sierra don't handle custom cert files correctly, so need a full brewed curl.
if [[ "${HOMEBREW_MACOS_VERSION_NUMERIC}" -lt "101200" ]]
then
HOMEBREW_SYSTEM_CURL_TOO_OLD="1"
HOMEBREW_FORCE_BREWED_CURL="1"
fi
# The system libressl has a bug before macOS 10.15.6 where it incorrectly handles expired roots.
if [[ -z "${HOMEBREW_SYSTEM_CURL_TOO_OLD}" && "${HOMEBREW_MACOS_VERSION_NUMERIC}" -lt "101506" ]]
then
HOMEBREW_SYSTEM_CA_CERTIFICATES_TOO_OLD="1"
HOMEBREW_FORCE_BREWED_CA_CERTIFICATES="1"
fi
# The system Git on macOS versions before Sierra is too old for some Homebrew functionality we rely on. # The system Git on macOS versions before Sierra is too old for some Homebrew functionality we rely on.
HOMEBREW_MINIMUM_GIT_VERSION="2.14.3" HOMEBREW_MINIMUM_GIT_VERSION="2.14.3"
if [[ "${HOMEBREW_MACOS_VERSION_NUMERIC}" -lt "101200" ]] if [[ "${HOMEBREW_MACOS_VERSION_NUMERIC}" -lt "101200" ]]
@ -534,6 +548,12 @@ Your Git executable: $(unset git && type -p ${HOMEBREW_GIT})"
fi fi
fi fi
if [[ -n "${HOMEBREW_FORCE_BREWED_CA_CERTIFICATES}" && -f "${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem" ]]
then
export SSL_CERT_FILE="${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem"
export GIT_SSL_CAINFO="${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem"
fi
# A bug in the auto-update process prior to 3.1.2 means $HOMEBREW_BOTTLE_DOMAIN # A bug in the auto-update process prior to 3.1.2 means $HOMEBREW_BOTTLE_DOMAIN
# could be passed down with the default domain. # could be passed down with the default domain.
# This is problematic as this is will be the old bottle domain. # This is problematic as this is will be the old bottle domain.
@ -571,6 +591,7 @@ export HOMEBREW_DEFAULT_TEMP
export HOMEBREW_TEMP export HOMEBREW_TEMP
export HOMEBREW_CELLAR export HOMEBREW_CELLAR
export HOMEBREW_SYSTEM export HOMEBREW_SYSTEM
export HOMEBREW_SYSTEM_CA_CERTIFICATES_TOO_OLD
export HOMEBREW_CURL export HOMEBREW_CURL
export HOMEBREW_CURL_WARNING export HOMEBREW_CURL_WARNING
export HOMEBREW_SYSTEM_CURL_TOO_OLD export HOMEBREW_SYSTEM_CURL_TOO_OLD

14
Library/Homebrew/cmd/update.sh
View File

@ -383,11 +383,21 @@ user account:
EOS EOS
fi fi
# we may want to use Homebrew CA certificates
if [[ -n "${HOMEBREW_FORCE_BREWED_CA_CERTIFICATES}" && ! -f "${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem" ]]
then
# we cannot install Homebrew CA certificates if homebrew/core is unavailable.
if [[ -d "${HOMEBREW_LIBRARY}/Taps/homebrew/homebrew-core" || -n "${HOMEBREW_INSTALL_FROM_API}" ]]
then
brew install ca-certificates || true
fi
fi
# we may want to use a Homebrew curl # we may want to use a Homebrew curl
if [[ -n "${HOMEBREW_FORCE_BREWED_CURL}" && ! -x "${HOMEBREW_PREFIX}/opt/curl/bin/curl" ]] if [[ -n "${HOMEBREW_FORCE_BREWED_CURL}" && ! -x "${HOMEBREW_PREFIX}/opt/curl/bin/curl" ]]
then then
# we cannot install a Homebrew cURL if homebrew/core is unavailable. # we cannot install a Homebrew cURL if homebrew/core is unavailable.
if [[ ! -d "${HOMEBREW_LIBRARY}/Taps/homebrew/homebrew-core" ]] || ! brew install curl if [[ ! -d "${HOMEBREW_LIBRARY}/Taps/homebrew/homebrew-core" && -z "${HOMEBREW_INSTALL_FROM_API}" ]] || ! brew install curl
then then
odie "'curl' must be installed and in your PATH!" odie "'curl' must be installed and in your PATH!"
fi fi
@ -397,7 +407,7 @@ EOS
[[ -n "${HOMEBREW_FORCE_BREWED_GIT}" && ! -x "${HOMEBREW_PREFIX}/opt/git/bin/git" ]] [[ -n "${HOMEBREW_FORCE_BREWED_GIT}" && ! -x "${HOMEBREW_PREFIX}/opt/git/bin/git" ]]
then then
# we cannot install a Homebrew Git if homebrew/core is unavailable. # we cannot install a Homebrew Git if homebrew/core is unavailable.
if [[ ! -d "${HOMEBREW_LIBRARY}/Taps/homebrew/homebrew-core" ]] || ! brew install git if [[ ! -d "${HOMEBREW_LIBRARY}/Taps/homebrew/homebrew-core" && -z "${HOMEBREW_INSTALL_FROM_API}" ]] || ! brew install git
then then
odie "'git' must be installed and in your PATH!" odie "'git' must be installed and in your PATH!"
fi fi

5
Library/Homebrew/development_tools.rb
View File

@ -98,6 +98,11 @@ class DevelopmentTools
@non_apple_gcc_version = {} @non_apple_gcc_version = {}
end end
sig { returns(T::Boolean) }
def ca_file_handles_most_https_certificates?
true
end
sig { returns(T::Boolean) } sig { returns(T::Boolean) }
def curl_handles_most_https_certificates? def curl_handles_most_https_certificates?
true true

5
Library/Homebrew/env_config.rb
View File

@ -138,6 +138,11 @@ module Homebrew
description: "A space-separated list of licenses. Homebrew will refuse to install a " \ description: "A space-separated list of licenses. Homebrew will refuse to install a " \
"formula if it or any of its dependencies has a license on this list.", "formula if it or any of its dependencies has a license on this list.",
}, },
HOMEBREW_FORCE_BREWED_CA_CERTIFICATES: {
description: "If set, always use a Homebrew-installed `ca-certificates` rather than the system version. " \
"Automatically set if the system version is too old.",
boolean: true,
},
HOMEBREW_FORCE_BREWED_CURL: { HOMEBREW_FORCE_BREWED_CURL: {
description: "If set, always use a Homebrew-installed `curl`(1) rather than the system version. " \ description: "If set, always use a Homebrew-installed `curl`(1) rather than the system version. " \
"Automatically set if the system version of `curl` is too old.", "Automatically set if the system version of `curl` is too old.",

9
Library/Homebrew/extend/os/mac/development_tools.rb
View File

@ -10,7 +10,7 @@ class DevelopmentTools
alias generic_locate locate alias generic_locate locate
undef installed?, default_compiler, curl_handles_most_https_certificates?, undef installed?, default_compiler, curl_handles_most_https_certificates?,
subversion_handles_most_https_certificates? ca_file_handles_most_https_certificates?, subversion_handles_most_https_certificates?
sig { params(tool: String).returns(T.nilable(Pathname)) } sig { params(tool: String).returns(T.nilable(Pathname)) }
def locate(tool) def locate(tool)
@ -37,6 +37,13 @@ class DevelopmentTools
:clang :clang
end end
sig { returns(T::Boolean) }
def ca_file_handles_most_https_certificates?
# The system CA file is too old for some modern HTTPS certificates on
# older macOS versions.
ENV["HOMEBREW_SYSTEM_CA_CERTIFICATES_TOO_OLD"].nil?
end
sig { returns(T::Boolean) } sig { returns(T::Boolean) }
def curl_handles_most_https_certificates? def curl_handles_most_https_certificates?
# The system Curl is too old for some modern HTTPS certificates on # The system Curl is too old for some modern HTTPS certificates on

6
Library/Homebrew/formula_installer.rb
View File

@ -796,6 +796,12 @@ class FormulaInstaller
# let's reset Utils::Git.available? if we just installed git # let's reset Utils::Git.available? if we just installed git
Utils::Git.clear_available_cache if formula.name == "git" Utils::Git.clear_available_cache if formula.name == "git"
# use installed ca-certificates when it's needed and available
if formula.name == "ca-certificates" &&
!DevelopmentTools.ca_file_handles_most_https_certificates?
ENV["SSL_CERT_FILE"] = ENV["GIT_SSL_CAINFO"] = formula.pkgetc/"cert.pem"
end
# use installed curl when it's needed and available # use installed curl when it's needed and available
if formula.name == "curl" && if formula.name == "curl" &&
!DevelopmentTools.curl_handles_most_https_certificates? !DevelopmentTools.curl_handles_most_https_certificates?

2
Library/Homebrew/sorbet/rbi/hidden-definitions/hidden.rbi
View File

@ -4626,6 +4626,8 @@ module Homebrew::EnvConfig
def self.forbidden_licenses(); end def self.forbidden_licenses(); end
def self.force_brewed_ca_certificates?(); end
def self.force_brewed_curl?(); end def self.force_brewed_curl?(); end
def self.force_brewed_git?(); end def self.force_brewed_git?(); end

4
Library/Homebrew/utils/curl.rb
View File

@ -100,11 +100,9 @@ module Utils
verbose: verbose, verbose: verbose,
}.compact }.compact
# SSL_CERT_FILE can be incorrectly set by users or portable-ruby and screw
# with SSL downloads so unset it here.
result = system_command curl_executable(use_homebrew_curl: use_homebrew_curl), result = system_command curl_executable(use_homebrew_curl: use_homebrew_curl),
args: curl_args(*args, **options), args: curl_args(*args, **options),
env: { "SSL_CERT_FILE" => nil }.merge(env), env: env,
timeout: end_time&.remaining, timeout: end_time&.remaining,
**command_options **command_options

3
docs/Manpage.md
View File

@ -1976,6 +1976,9 @@ example, run `export HOMEBREW_NO_INSECURE_REDIRECT=1` rather than just
- `HOMEBREW_FORBIDDEN_LICENSES` - `HOMEBREW_FORBIDDEN_LICENSES`
<br>A space-separated list of licenses. Homebrew will refuse to install a formula if it or any of its dependencies has a license on this list. <br>A space-separated list of licenses. Homebrew will refuse to install a formula if it or any of its dependencies has a license on this list.
- `HOMEBREW_FORCE_BREWED_CA_CERTIFICATES`
<br>If set, always use a Homebrew-installed `ca-certificates` rather than the system version. Automatically set if the system version is too old.
- `HOMEBREW_FORCE_BREWED_CURL` - `HOMEBREW_FORCE_BREWED_CURL`
<br>If set, always use a Homebrew-installed `curl`(1) rather than the system version. Automatically set if the system version of `curl` is too old. <br>If set, always use a Homebrew-installed `curl`(1) rather than the system version. Automatically set if the system version of `curl` is too old.

8
manpages/brew.1
View File

@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3 .\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3
. .
.TH "BREW" "1" "September 2021" "Homebrew" "brew" .TH "BREW" "1" "October 2021" "Homebrew" "brew"
. .
.SH "NAME" .SH "NAME"
\fBbrew\fR \- The Missing Package Manager for macOS (or Linux) \fBbrew\fR \- The Missing Package Manager for macOS (or Linux)
@ -2826,6 +2826,12 @@ Output this many lines of output on formula \fBsystem\fR failures\.
A space\-separated list of licenses\. Homebrew will refuse to install a formula if it or any of its dependencies has a license on this list\. A space\-separated list of licenses\. Homebrew will refuse to install a formula if it or any of its dependencies has a license on this list\.
. .
.TP .TP
\fBHOMEBREW_FORCE_BREWED_CA_CERTIFICATES\fR
.
.br
If set, always use a Homebrew\-installed \fBca\-certificates\fR rather than the system version\. Automatically set if the system version is too old\.
.
.TP
\fBHOMEBREW_FORCE_BREWED_CURL\fR \fBHOMEBREW_FORCE_BREWED_CURL\fR
. .
.br .br