api: ignore HTTPS errors if minimum curl version isn't installed

Homebrew · Oct 4, 2023 · 2f5bf7d · 2f5bf7d
1 parent ec5ad35
commit 2f5bf7d
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/Library/Homebrew/api.rb b/Library/Homebrew/api.rb
@@ -54,9 +54,8 @@ def self.fetch_json_api_file(endpoint, target: HOMEBREW_CACHE_API/endpoint,
         --speed-time #{ENV.fetch("HOMEBREW_CURL_SPEED_TIME")}
       ]
 
-      insecure_download = (ENV["HOMEBREW_SYSTEM_CA_CERTIFICATES_TOO_OLD"].present? ||
-                           ENV["HOMEBREW_FORCE_BREWED_CA_CERTIFICATES"].present?) &&
-                          !(HOMEBREW_PREFIX/"etc/ca-certificates/cert.pem").exist?
+      insecure_download = DevelopmentTools.ca_file_substitution_required? ||
+                          DevelopmentTools.curl_substitution_required?
       skip_download = target.exist? &&
                       !target.empty? &&
                       (!Homebrew.auto_update_command? ||
@@ -69,8 +68,9 @@ def self.fetch_json_api_file(endpoint, target: HOMEBREW_CACHE_API/endpoint,
           args = curl_args.dup
           args.prepend("--time-cond", target.to_s) if target.exist? && !target.empty?
           if insecure_download
-            opoo "Using --insecure with curl to download #{endpoint} " \
-                 "because we need it to run `brew install ca-certificates`. " \
+            package = DevelopmentTools.curl_handles_most_https_certificates? ? "ca-certificates" : "curl"
+            opoo "Using `--insecure` with curl to download #{endpoint} " \
+                 "because we need it to run `brew install #{package}`. " \
                  "Checksums will still be verified."
             args.append("--insecure")
           end

diff --git a/Library/Homebrew/cmd/update.sh b/Library/Homebrew/cmd/update.sh
@@ -416,7 +416,8 @@ EOS
   fi
 
   # we may want to use Homebrew CA certificates
-  if [[ -n "${HOMEBREW_FORCE_BREWED_CA_CERTIFICATES}" && ! -f "${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem" ]]
+  if [[ -n "${HOMEBREW_FORCE_BREWED_CA_CERTIFICATES}" && ! -f "${HOMEBREW_PREFIX}/etc/ca-certificates/cert.pem" ]] ||
+     [[ -n "${HOMEBREW_SYSTEM_CURL_TOO_OLD}" && ! -x "${HOMEBREW_PREFIX}/opt/curl/bin/curl" ]]
   then
     # we cannot install Homebrew CA certificates if homebrew/core is unavailable.
     if [[ -n "${HOMEBREW_CORE_AVAILABLE}" ]]

diff --git a/Library/Homebrew/development_tools.rb b/Library/Homebrew/development_tools.rb
@@ -123,6 +123,17 @@ def curl_handles_most_https_certificates?
       true
     end
 
+    sig { returns(T::Boolean) }
+    def ca_file_substitution_required?
+      (!ca_file_handles_most_https_certificates? || ENV["HOMEBREW_FORCE_BREWED_CA_CERTIFICATES"].present?) &&
+      !(HOMEBREW_PREFIX/"etc/ca-certificates/cert.pem").exist?
+    end
+
+    sig { returns(T::Boolean) }
+    def curl_substitution_required?
+      !curl_handles_most_https_certificates? && !HOMEBREW_BREWED_CURL_PATH.exist?
+    end
+
     sig { returns(T::Boolean) }
     def subversion_handles_most_https_certificates?
       true

diff --git a/Library/Homebrew/resource.rb b/Library/Homebrew/resource.rb
@@ -56,7 +56,8 @@ def owner=(owner)
     return if !owner.respond_to?(:full_name) || owner.full_name != "ca-certificates"
     return if Homebrew::EnvConfig.no_insecure_redirect?
 
-    @insecure = !specs[:bottle] && !DevelopmentTools.ca_file_handles_most_https_certificates?
+    @insecure = !specs[:bottle] && (DevelopmentTools.ca_file_substitution_required? ||
+                                    DevelopmentTools.curl_substitution_required?)
     return if @url.nil?
 
     specs = if @insecure