Patching cask google-cloud-sdk to use formula certifi

[epiccoolguy]

Output of brew config

HOMEBREW_VERSION: 4.2.15
ORIGIN: https://github.com/Homebrew/brew
HEAD: 92a4311868322188478d7a90511ec0e8e6b0d7df
Last commit: 7 days ago
Core tap JSON: 31 Mar 13:14 UTC
Core cask tap JSON: 31 Mar 13:13 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: octa-core 64-bit arm_blizzard_avalanche
Clang: 15.0.0 build 1500
Git: 2.44.0 => /opt/homebrew/bin/git
Curl: 8.4.0 => /usr/bin/curl
macOS: 14.4-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: N/A
Rosetta 2: false

Output of brew doctor

Your system is ready to brew.

Description of issue

Hi,

I have recently started working in a corporate environment which enforces "SSL inspection". This means that when setting up a TLS connection to a remote server, your client will be presented a certificate issued by a root certificate authority that is provisioned by the company through MDM. Because the CA certificate is not included in public CA bundles, the verification of the certificate may fail.

This generally isn't an issue with applications that respect the native trust store (Keychain), but it seems that some Python tools have issues, because they come with their own CA bundle.

A common package Python tools seem to use is certifi, which basically provides a copy of Mozilla's root CA certificate bundle. This library can also be installed with a homebrew formula. When installing certifi with the formula it will instead use a patched version of ca-certificates that includes the system keychain, so programs using this version of certifi will also trust certificates issued by the private root CA. I originally had an issue using Ansible installed via pip which was solved by switching to Python + certifi + Ansible provided by Homebrew.

I'm now encountering the same issue when installing the google-cloud-sdk cask where this tool seems to still be using its vendored copy of certifi, despite being provided the Python from Homebrew (which has the patched certifi installed in its environment).

The solution I had in mind was:

1. Make the certifi formula a dependency of google-cloud-sdk cask
2. Copy the cacert.pem from the formula into google-cloud-sdk/lib/third_party/certifi/ BEFORE running the installer in the cask

Does it make sense to have these kinds of modifications in the google-cloud-sdk cask itself or should I create a separate tap for publishing such a patched version of google-cloud-sdk?

Relevant casks

google-cloud-sdk

[SMillerDev]

Does it make sense to have these kinds of modifications in the google-cloud-sdk cask itself or should I create a separate tap for publishing such a patched version of google-cloud-sdk?

We don't generally make modifications to precompiled binaries/casks so a tap seems best for this.