Skip to content

Instantly share code, notes, and snippets.

@mig8447

mig8447/README.md

Forked from telamonian/gist:875affc6e16cba8b8be08850c982555a
Last active June 2, 2020 22:57
Show Gist options
  • Save mig8447/c7003cc83adad3d475b7479e86ba4674 to your computer and use it in GitHub Desktop.
Save mig8447/c7003cc83adad3d475b7479e86ba4674 to your computer and use it in GitHub Desktop.
Download ZIP
Adding --insecure, -k to homebrew cURL calls (Workaround for homebrew cask install SSL issues)
Raw
README.md

Problem

Executing

brew cask install sip

yields

curl: (60) SSL certificate problem: certificate has expired

Solution

Before starting

This solution works for Homebrew 2.3.0 and this specific commit:

HOMEBREW_VERSION: 2.3.0
ORIGIN: https://github.com/Homebrew/brew
HEAD: 77e09fc166f5fb7197b239d5e2727ddc0791c121
Last commit: 4 days ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: bc2f3461c23cba67c573997a82a92313d0423750

Future versions may have issues because the code has changed but the solution might be something similar

Instructions

Edit the download_strategy.rb file as follows

vim /usr/local/Homebrew/Library/Homebrew/download_strategy.rb

Changed

  # Curl options to be always passed to curl,
  # with raw head calls (`curl --head`) or with actual `fetch`.
  def _curl_args
    args = []

    args += ["-b", meta.fetch(:cookies).map { |k, v| "#{k}=#{v}" }.join(";")] if meta.key?(:cookies)

    args += ["-e", meta.fetch(:referer)] if meta.key?(:referer)

    args += ["--user", meta.fetch(:user)] if meta.key?(:user)

    args += [meta[:header], meta[:headers]].flatten.compact.flat_map { |h| ["--header", h.strip] }

    args
  end

to

  # Curl options to be always passed to curl,
  # with raw head calls (`curl --head`) or with actual `fetch`.
  def _curl_args
    args = []

    args += ["-k"]

    args += ["-b", meta.fetch(:cookies).map { |k, v| "#{k}=#{v}" }.join(";")] if meta.key?(:cookies)

    args += ["-e", meta.fetch(:referer)] if meta.key?(:referer)

    args += ["--user", meta.fetch(:user)] if meta.key?(:user)

    args += [meta[:header], meta[:headers]].flatten.compact.flat_map { |h| ["--header", h.strip] }

    args
  end

basically adding the -k argument to allow invalid certificates. Then executed homebrew installation as

HOMEBREW_NO_AUTO_UPDATE=1 brew cask install sip

to prevent homebrew from pulling content reverting our change. Then executed the command below to revert our change

cd /usr/local/Homebrew/Library/Homebrew/
git checkout download_strategy.rb
cd

to revert our change

Future work

  • Craft a diff patch to re-apply as needed
  • Make a pull request to homebrew to add an --insecure-ssl-certs option to the brew cask command See Homebrew/legacy-homebrew#6103
@mig8447
Copy link
Author

mig8447 commented Jun 2, 2020
edited

Overwriting the cURL cert file

Besides using -k, the Sip Application zip can download correctly with the following commands

echo quit | openssl s_client -showcerts -servername server -connect sipapp.io:443 > sip_cacert.pem
export SSL_CERT_FILE="$( pwd )"'/sip_cacert.pem'
curl -v https://sipapp.io/updates/v2/sip-2.3.zip -o ~/Downloads/sip.zip

But unfortunately exporting the variable doesn't pass through to the cURL command executed by homebrew

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment