Merge pull request Homebrew#16078 from EricFromCanada/curl-insecure

api: ignore HTTPS errors if minimum curl version isn't installed

Library/Homebrew/api.rb

@@ -54,9 +54,8 @@ def self.fetch_json_api_file(endpoint, target: HOMEBREW_CACHE_API/endpoint,
         --speed-time #{ENV.fetch("HOMEBREW_CURL_SPEED_TIME")}
       ]
 
-      insecure_download = (ENV["HOMEBREW_SYSTEM_CA_CERTIFICATES_TOO_OLD"].present? ||
-                           ENV["HOMEBREW_FORCE_BREWED_CA_CERTIFICATES"].present?) &&
-                          !(HOMEBREW_PREFIX/"etc/ca-certificates/cert.pem").exist?
+      insecure_download = DevelopmentTools.ca_file_substitution_required? ||
+                          DevelopmentTools.curl_substitution_required?
       skip_download = target.exist? &&
                       !target.empty? &&
                       (!Homebrew.auto_update_command? ||
@@ -69,9 +68,7 @@ def self.fetch_json_api_file(endpoint, target: HOMEBREW_CACHE_API/endpoint,
           args = curl_args.dup
           args.prepend("--time-cond", target.to_s) if target.exist? && !target.empty?
           if insecure_download
-            opoo "Using --insecure with curl to download #{endpoint} " \
-                 "because we need it to run `brew install ca-certificates`. " \
-                 "Checksums will still be verified."
+            opoo DevelopmentTools.insecure_download_warning(endpoint)
             args.append("--insecure")
           end
           unless skip_download

Library/Homebrew/development_tools.rb

@@ -36,6 +36,14 @@ def custom_installation_instructions
       installation_instructions
     end
 
+    sig { params(resource: String).returns(String) }
+    def insecure_download_warning(resource)
+      package = curl_handles_most_https_certificates? ? "ca-certificates" : "curl"
+      "Using `--insecure` with curl to download #{resource} because we need it to run " \
+        "`brew install #{package}` in order to download securely from now on. " \
+        "Checksums will still be verified."
+    end
+
     sig { returns(Symbol) }
     def default_compiler
       :clang
@@ -123,6 +131,17 @@ def curl_handles_most_https_certificates?
       true
     end
 
+    sig { returns(T::Boolean) }
+    def ca_file_substitution_required?
+      (!ca_file_handles_most_https_certificates? || ENV["HOMEBREW_FORCE_BREWED_CA_CERTIFICATES"].present?) &&
+        !(HOMEBREW_PREFIX/"etc/ca-certificates/cert.pem").exist?
+    end
+
+    sig { returns(T::Boolean) }
+    def curl_substitution_required?
+      !curl_handles_most_https_certificates? && !HOMEBREW_BREWED_CURL_PATH.exist?
+    end
+
     sig { returns(T::Boolean) }
     def subversion_handles_most_https_certificates?
       true

Library/Homebrew/download_strategy.rb

@@ -577,9 +577,7 @@ def _curl_args
 
     if meta[:insecure]
       unless @insecure_warning_shown
-        opoo "Using --insecure with curl to download `ca-certificates` " \
-             "because we need it installed to download securely from now on. " \
-             "Checksums will still be verified."
+        opoo DevelopmentTools.insecure_download_warning("an updated certificates file")
         @insecure_warning_shown = true
       end
       args += ["--insecure"]

Library/Homebrew/resource.rb

@@ -56,7 +56,8 @@ def owner=(owner)
     return if !owner.respond_to?(:full_name) || owner.full_name != "ca-certificates"
     return if Homebrew::EnvConfig.no_insecure_redirect?
 
-    @insecure = !specs[:bottle] && !DevelopmentTools.ca_file_handles_most_https_certificates?
+    @insecure = !specs[:bottle] && (DevelopmentTools.ca_file_substitution_required? ||
+                                    DevelopmentTools.curl_substitution_required?)
     return if @url.nil?
 
     specs = if @insecure