homebrew-cask: Installation of certain Casks fails with TLS cert errors
General troubleshooting steps
- I understand that if I ignore these instructions, my issue may be closed without review.
- I have retried my command with
--force. - I ran
brew update-reset && brew updateand retried my command. - I ran
brew doctor, fixed as many issues as possible and retried my command. - I have checked the instructions for reporting bugs.
- I made doubly sure this is not a checksum does not match error.
Description of issue
Installation of certain Casks currently fails with TLS certificate errors:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
This is because of a (supposed) bug in macOS’ built-in cURL, which is used by Homebrew. See my detailed analysis of the issue on Information Security StackExchange.
Affected Casks include, but are probably not limited to, “dash” and “electron-cash”.
Command that failed
brew cask reinstall dash
Output of command with --force --verbose --debug
==> Downloading https://kapeli.com/downloads/v5/Dash.zip
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Error: Download failed on Cask 'dash' with message: Download failed: https://kapeli.com/downloads/v5/Dash.zip
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 19 (12 by maintainers)
Commits related to this issue
- Update focusrite-control from 3.5.0.1754 to 3.6.0.1822 (#1598) — committed to Homebrew/homebrew-cask-drivers by ran-dall 4 years ago
@mjsteinbaugh Everything @vitorgalvao said is correct, but also consider these 2 things…
We don’t recommend folks replacing system dependencies just because ‘something isn’t working’. Folks should do their research to see what’s applicable to their system and what works for them. For example, neither of the lines you posted are needed to address this on 10.15.
This isn’t a Homebrew Core problem, it’s an upstream problem. Therefore, there will be no fix provided by Homebrew. https://github.com/Homebrew/brew/issues/7667#issuecomment-636427543
The point @ran-dall was making was that line is useless to fix this issue, because
HOMEBREW_FORCE_BREWED_CURLdoes everything. ThePATHline changes what all your programs use (which, while unlikely, may lead to unexpected behaviour).So in that sense the
PATHline is neither a stopgap measure nor does it fix the problem; theHOMEBREW_FORCE_BREWED_CURLline is what’s accomplishing that.A workaround is to simply install the latest and greatest version of
curlusing Homebrew and linking that version. That is:After this, it will work without any problems.
Alternatively, if you don’t want to permanently alter your
PATHbut still want to save the day instead of waiting for macOS developers or Homebrew developers to fix this issue, you can:curlby running:brew install curlexport PATH="/usr/local/opt/curl/bin:$PATH"@ran-dall It’s a stopgap mesaure that works until Homebrew core is updated…so it does in a sense fix the problem
Can confirm this works for me:
And then place in your shell config file (e.g.
~/.zshrcor~/.bash_profile):Please also set
export HOMEBREW_FORCE_BREWED_CURL=1in~/.bash_profileto fix the issue. The exportPATHis not enough for me. @ugultopu ^^