[Brew install] No able to download resource "sketchybar"

[AlejandroSuero]

I changed to a new mac and I was installing it and this popped up during the installation:

brew install sketchybar     
==> Downloading https://formulae.brew.sh/api/formula.jws.json
###################################################################################################################################################################################### 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
###################################################################################################################################################################################### 100.0%
==> Fetching felixkratz/formulae/sketchybar
==> Downloading https://github.com/FelixKratz/SketchyBar/archive/refs/tags/v2.19.1.tar.gz
curl: (60) SSL certificate problem: self signed certificate                                                                                                                                 
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Error: sketchybar: Failed to download resource "sketchybar"
Download failed: https://github.com/FelixKratz/SketchyBar/archive/refs/tags/v2.19.1.tar.gz

[FelixKratz]

Thats strange, the file is hosted on github and the download is managed by brew. Does this work if you install other packages via brew?

Maybe it was a configuration problem at github, which is resolved now?

Do you have some kind of man-in-the-middle https proxy which re-signs you SSL packets?

[AlejandroSuero]

I installed other packages and seems to work fine.

About the proxy, I would say no because is a new one so I didn't trigger something like that. When I followed the link to the .tar.gz, it said that was private, but that I will asume is part of github I guess.

I'm going to try downloading it now, in the mean time I just compiled from source and executed it in the background using sketchybar > /dev/null 2>&1 &

[AlejandroSuero]

As an update, I tried downloading it to the same effects, i downloaded other packages like neovim for and it downloaded fine.

[FelixKratz]

When I open https://github.com/FelixKratz/SketchyBar/archive/refs/tags/v2.19.1.tar.gz it downloads the file.

Try running

curl -L https://github.com/FelixKratz/SketchyBar/archive/refs/tags/v2.19.1.tar.gz --output sketchybar.tar.gz

what does this command do?

Something is not configured correctly and I have no idea what it could be

[AlejandroSuero]

I get the following:

curl -L https://github.com/FelixKratz/SketchyBar/archive/refs/tags/v2.19.1.tar.gz --output sketchybar.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

And this when I visit https://github.com/FelixKratz/SketchyBar/archive/refs/tags/v2.19.1.tar.gz

[AlejandroSuero]

If I ignore the certificates, it works, but the brew install would still not work.

This is the output I get when running curl -L https://github.com/FelixKratz/SketchyBar/archive/refs/tags/v2.19.1.tar.gz --output sketchybar.tar.gz adding -kv

curl -kv -L https://github.com/FelixKratz/SketchyBar/archive/refs/tags/v2.18.0.tar.gz --output sketchybar.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 140.82.121.4:443...
* Connected to github.com (140.82.121.4) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [315 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [19 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2459 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: Feb 14 00:00:00 2023 GMT
*  expire date: Mar 14 23:59:59 2024 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: github.com]
* h2 [:path: /FelixKratz/SketchyBar/archive/refs/tags/v2.18.0.tar.gz]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x12480cc00)
> GET /FelixKratz/SketchyBar/archive/refs/tags/v2.18.0.tar.gz HTTP/2
> Host: github.com
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/2 302 
< server: GitHub.com
< date: Fri, 10 Nov 2023 12:41:09 GMT
< content-type: text/html; charset=utf-8
< vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
< location: https://codeload.github.com/FelixKratz/SketchyBar/tar.gz/refs/tags/v2.18.0
< cache-control: max-age=0, private
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: no-referrer-when-downgrade
< content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.githubcopilot.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events objects-origin.githubusercontent.com *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ staffwus201resultssa0.blob.core.windows.net/ staffwus201resultssa1.blob.core.windows.net/ prodweu01resultssa0.blob.core.windows.net/ prodweu01resultssa1.blob.core.windows.net/ prodweu01resultssa2.blob.core.windows.net/ prodweu01resultssa3.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com support.github.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
< content-length: 0
< x-github-request-id: C07C:CF78:2F019AE8:2FA3A9A3:654E251D
< 
{ [0 bytes data]
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://codeload.github.com/FelixKratz/SketchyBar/tar.gz/refs/tags/v2.18.0'
*   Trying 172.29.14.144:443...
* Connected to codeload.github.com (172.29.14.144) port 443 (#1)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [324 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [81 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [903 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=USA; L=New York; O=Optimization; OU=Optimization; CN=tomcat
*  start date: Aug 30 08:53:43 2019 GMT
*  expire date: Aug 25 08:53:43 2039 GMT
*  issuer: C=US; ST=USA; L=New York; O=Optimization; OU=Optimization; CN=tomcat
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
> GET /FelixKratz/SketchyBar/tar.gz/refs/tags/v2.18.0 HTTP/1.1
> Host: codeload.github.com
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/1.1 200 
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: 0
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Fri, 10 Nov 2023 12:42:05 GMT
< 
{ [16181 bytes data]
100  510k    0  510k    0     0  1177k      0 --:--:-- --:--:-- --:--:-- 1177k
* Connection #1 to host codeload.github.com left intact

[FelixKratz]

What do you see if you click the "Not Secure" button in the browser and look at the details of the certificate? BTW, is your date and time configured properly?

For reference: https://www.reddit.com/r/github/comments/y1det7/i_cannot_access_codeloadgithubcom_because_google/?rdt=53890

I have also found references tracing this back to Vodafone Secure Net erroneously blocking certain websites.

Try the download with 5G via a hotspot or a different network...

[AlejandroSuero]

I tried using the mobile internet as provider and ethernet cable as well, but to the same result.

When clicking on "Advanced" outputs this:

And when clicking on "Not Secure" outputs this:

[FelixKratz]

Try opening the link on a different device, if that works, your device might be compromised in some way. This is usually a sign for man in the middle attacks.

[AlejandroSuero]

In my windows and linux machines seems to work fine. Any way I can sort of track the problem on mac?

[FelixKratz]

Because this seems to point at a serious security problem, I would completely wipe and reinstall macOS… some application (malicious or not) might be intercepting parts of your network traffic.

[AlejandroSuero]

Thanks I'll do that 👌