From 15cd05cdfbcd7b5bf1f283cdff78065127848617 Mon Sep 17 00:00:00 2001
From: Megamouse <studienricky89@googlemail.com>
Date: Wed, 6 Dec 2023 18:52:27 +0100
Subject: [PATCH] curl: use native CA store instead of deploying cacert.pem

---
 .ci/deploy-windows.sh         | 7 ++++---
 rpcs3/rpcs3qt/curl_handle.cpp | 8 +++-----
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.ci/deploy-windows.sh b/.ci/deploy-windows.sh
index dd54ec4649..7a7522f8d4 100755
--- a/.ci/deploy-windows.sh
+++ b/.ci/deploy-windows.sh
@@ -7,13 +7,14 @@ ARTIFACT_DIR="$BUILD_ARTIFACTSTAGINGDIRECTORY"
 rm -f ./bin/rpcs3.exp ./bin/rpcs3.lib ./bin/rpcs3.pdb ./bin/vc_redist.x64.exe
 rm -rf ./bin/git
 
-# Prepare compatibility and SDL database for packaging, as well as
-# certificate for ssl (auto-updater)
+# Prepare compatibility and SDL database for packaging
 mkdir ./bin/config
 mkdir ./bin/config/input_configs
 curl -fsSL 'https://raw.githubusercontent.com/gabomdq/SDL_GameControllerDB/master/gamecontrollerdb.txt' 1> ./bin/config/input_configs/gamecontrollerdb.txt
 curl -fsSL 'https://rpcs3.net/compatibility?api=v1&export' | iconv -t UTF-8 1> ./bin/GuiConfigs/compat_database.dat
-curl -fsSL 'https://curl.haxx.se/ca/cacert.pem' 1> ./bin/cacert.pem
+
+# Download SSL certificate (not needed with CURLSSLOPT_NATIVE_CA)
+#curl -fsSL 'https://curl.haxx.se/ca/cacert.pem' 1> ./bin/cacert.pem
 
 # Package artifacts
 7z a -m0=LZMA2 -mx9 "$BUILD" ./bin/*
diff --git a/rpcs3/rpcs3qt/curl_handle.cpp b/rpcs3/rpcs3qt/curl_handle.cpp
index c0d170aa1a..053de6e4d1 100644
--- a/rpcs3/rpcs3qt/curl_handle.cpp
+++ b/rpcs3/rpcs3qt/curl_handle.cpp
@@ -26,11 +26,9 @@ curl_handle::curl_handle(QObject* parent) : QObject(parent)
 	if (err != CURLE_OK) network_log.error("curl_easy_setopt(CURLOPT_VERBOSE, %d): %s", g_curl_verbose, curl_easy_strerror(err));
 
 #ifdef _WIN32
-	// This shouldn't be needed on linux
-	const std::string path_to_cert = rpcs3::utils::get_exe_dir() + "cacert.pem";
-
-	err = curl_easy_setopt(m_curl, CURLOPT_CAINFO, path_to_cert.data());
-	if (err != CURLE_OK) network_log.error("curl_easy_setopt(CURLOPT_CAINFO, %s) error: %s", path_to_cert, curl_easy_strerror(err));
+	// Tell curl to use the native CA store for certificate verification
+	err = curl_easy_setopt(m_curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NATIVE_CA);
+	if (err != CURLE_OK) network_log.error("curl_easy_setopt(CURLOPT_SSL_OPTIONS): %s", curl_easy_strerror(err));
 #endif
 }