Skip to content

ca-certificates: process the system certificates for different distros #254135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ca-certificates: process the system certificates for different distros #254135

wants to merge 1 commit into from
+13 −6

Conversation

@wheelerlaw
Copy link

@wheelerlaw wheelerlaw commented Nov 12, 2025
edited
Loading

  • Have you followed the guidelines for contributing?
  • Have you ensured that your commits follow the commit style guide?
  • Have you checked that there aren't other open pull requests for the same formula update/change?
  • Have you built your formula locally with HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
  • Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
  • Does your build pass brew audit --strict <formula> (after doing HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

The location of the system CA certificate store depends on the Linux distro. This PR adds two additional locations. The formula will pick the file that it finds first.

I can't seem to run brew audit --strict as that command doesn't seem to respect the HOMEBREW_NO_INSTALL_FROM_API=1 environment variable and the firewall I am behind blocks access to https://formulae.brew.sh/api/formula.jws.json.

@github-actions github-actions bot added the CI-skip-recursive-dependents Pass --skip-recursive-dependents to brew test-bot. label Nov 12, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2025

Thanks for contributing to Homebrew! 🎉 It looks like you're having trouble with a CI failure. See our contribution guide for help. You may be most interested in the section on dealing with CI failures. You can find the CI logs in the Checks tab of your pull request.

@p-linnane p-linnane requested a review from a team November 12, 2025 19:59
woodruffw
woodruffw reviewed Nov 12, 2025
View reviewed changes
Formula/c/ca-certificates.rb
Comment on lines -150 to +157
system_ca_certificates = Pathname.new("/etc/ssl/certs/ca-certificates.crt")
return if !system_ca_certificates.exist? || !system_ca_certificates.readable?
ca_certificate_paths = [
"/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu, Alpine Linux, Arch Linux
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # RHEL/CentOS/Fedora
"/etc/ssl/ca-bundle.pem", # SUSE/openSUSE
]
system_ca_certificates = ca_certificate_paths.map { |p| Pathname.new(p) }
.find { |pn| pn.file? && pn.readable? }
return unless system_ca_certificates
Copy link
Member

@woodruffw woodruffw Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For full generality, perhaps we could use the same set of patterns/heuristics that rustls's openssl-probe uses? I think that would be a nice future-proofing step here 🙂

https://github.com/rustls/openssl-probe/blob/main/src/lib.rs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CI-skip-recursive-dependents Pass --skip-recursive-dependents to brew test-bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wheelerlaw @woodruffw