-
-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install and use Homebrew's ca-certificates
on macOS <= 10.15.5
#12167
Conversation
Review period skipped due to |
9395c36
to
f312e3c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😭 👍🏻
Following discussion Homebrew/homebrew-core#86291 (comment), I've changed this PR so that we only install one formula: |
f312e3c
to
5ff474c
Compare
ca-certificates
on macOS <= 10.15.5
4d29c33
to
6618497
Compare
One caveat with this new approach is that the SSL bug is still present so this issue can resurface in the future. If this happens, it can be fixed by |
cdb134a
to
d8e89d7
Compare
Hmm SecureTransport on 10.10 still doesn't seem to work even with this. Might end up with a hybrid here where some really old versions need a full brewed curl but Mojave etc can live with just ca-certificates - will investigate more tomorrow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. At some point, it will be great to check that the brew install
calls here work with HOMEBREW_INSTALL_FROM_API
but that isn't a priority at the moment.
Given @EricFromCanada's tests this seems to work on Sierra or newer. I suggest we ship this as soon as we can to fix users who are on those systems. We can always work on a fix for older OSs after. |
We need to wait for Homebrew/homebrew-core#86304 gets through, first Also just a reminder that this will need a new |
Also, I wonder if this will allow us to get rid of |
I wasn't around when this was added. Why was this necessary? Which platforms did this affect? |
Cert errors on Mojave, I think. @iMichka should know the details. Let's find out ourselves, shall we? Homebrew/homebrew-core#86378. Edit: Hmm, no, it's not a cert error:
|
Ok xiph seems to require TLS 1.3, which macOS LibreSSL does not support. Neither does Secure Transport. |
d8e89d7
to
1952d27
Compare
Ok so I've added an extra < Sierra check, which will install a full brewed curl. 10.12-10.15.5 will have the lightweight |
Sorry if I just missed this, but why won't the |
It seems there's some Secure Transport bug or something. Tests on 10.10 & 10.11 reveal that ftp.gnu.org just returns "not trusted" even when passed the ISRG Root X1 alone. Hard to get any meaningful information from Secure Transport - it has poor debugging support. My guess is it doesn't handle alernative chains properly. Eric tested all macOS versions and found it works on 10.12 and later. |
Basically we're seeing curl/curl#976 on < Sierra. |
I hate chickens, and I hate eggs. This can't happen because it needs the Lost? I don't blame you. Luckily |
This is needed to fix Homebrew/core CI. See Homebrew/brew#12167.
Here's the first successful Homebrew/core CI job from this change: https://github.com/Homebrew/homebrew-core/pull/86421/checks?check_run_id=3788099599 I needed Homebrew/homebrew-test-bot@4fd658e before it worked though. Not sure why. |
This'll be because we never export Either we start exporting it or we instead check (Same scenario with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this!
# we cannot install Homebrew CA certificates if homebrew/core is unavailable. | ||
if [[ -d "${HOMEBREW_LIBRARY}/Taps/homebrew/homebrew-core" || -n "${HOMEBREW_INSTALL_FROM_API}" ]] | ||
then | ||
brew install ca-certificates || true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the || true
seems undesirable here, we want to handle if this fails (with at least a message), no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a reason in my head before but so much has changed that I can't remember it and it probably no longer applies.
I'm not sure what the message would be though. The solution for brewed curl and git is to install it yourself and put it in the PATH. This doesn't apply to CA certificates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's worth just failing in this case, then.
|
brew style
with your changes locally?brew typecheck
with your changes locally?brew tests
with your changes locally?The final step. Must be merged after #12166.