cask/audit: iterate over artifacts in rosetta/signing audit

2025-08-11 12:37:44 +10:00 · 2025-08-11 12:37:44 +10:00 · 34f659cb64
commit 34f659cb64
parent dbe68ef80c
1 changed files with 29 additions and 22 deletions
--- a/Library/Homebrew/cask/audit.rb
+++ b/Library/Homebrew/cask/audit.rb
@ -505,8 +505,8 @@ module Cask
      extract_artifacts do |artifacts, tmpdir|
        is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }

-        artifacts.each do |artifact|
-          next if artifact.is_a?(Artifact::Binary) && is_container == true
+        any_signing_failure = artifacts.any? do |artifact|
+          next false if artifact.is_a?(Artifact::Binary) && is_container == true

          artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source

@ -521,7 +521,7 @@ module Cask
            system_command("gktool", args: ["scan", path], print_stderr: false)
          when Artifact::Binary
            # Shell scripts cannot be signed, so we skip them
-            next if path.text_executable?
+            next false if path.text_executable?

            system_command("codesign",  args:         ["--verify", "-R=notarized", "--check-notarization", path],
                                        print_stderr: false)
@ -529,13 +529,8 @@ module Cask
            add_error "Unknown artifact type: #{artifact.class}", location: url.location
          end

-          if result.success? && cask.deprecated? && cask.deprecation_reason == :unsigned
-            add_error "Cask is deprecated as unsigned but artifacts are signed!"
-          end
-
-          next if cask.deprecated? && cask.deprecation_reason == :unsigned
-
-          next if result.success?
+          next false if result.success?
+          next true if cask.deprecated? && cask.deprecation_reason == :unsigned

          add_error <<~EOS, location: url.location
            Signature verification failed:
@ -543,6 +538,15 @@ module Cask
            macOS on ARM requires software to be signed.
            Please contact the upstream developer to let them know they should sign and notarize their software.
          EOS
+
+          true
+        end
+
+        if cask.deprecated? && cask.deprecation_reason == :unsigned && !any_signing_failure
+          add_error <<~EOS
+            Cask is deprecated as unsigned but all artifacts are signed!
+            Remove the deprecate/disable stanza or update the deprecate/disable reason.
+          EOS
        end
      end
    end
@ -640,9 +644,12 @@ module Cask
      extract_artifacts do |artifacts, tmpdir|
        is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }

-        artifacts.each do |artifact|
-          next if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary)
-          next if artifact.is_a?(Artifact::Binary) && is_container
+        mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
+        requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
+
+        any_requires_rosetta = artifacts.any? do |artifact|
+          next false if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary)
+          next false if artifact.is_a?(Artifact::Binary) && is_container

          path = tmpdir/artifact.source.relative_path_from(cask.staged_path)

@ -665,7 +672,7 @@ module Cask
          end

          # binary stanza can contain shell scripts, so we just continue if lipo fails.
-          next unless result.success?
+          next false unless result.success?

          odebug "Architectures: #{result.merged_output}"

@ -675,17 +682,17 @@ module Cask
            next
          end

-          supports_arm = result.merged_output.include?("arm64")
-          mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
-          requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
+          next true if result.merged_output.exclude?("arm64") && result.merged_output.include?("x86_64")
+        end

-          if supports_arm && mentions_rosetta
-            add_error "Artifacts do not require Rosetta 2 but the caveats say otherwise!",
-                      location: url.location
-          elsif !supports_arm && !mentions_rosetta && !requires_intel
-            add_error "Artifacts require Rosetta 2 but this is not indicated by the caveats!",
+        if any_requires_rosetta
+          if !mentions_rosetta && !requires_intel
+            add_error "At least one artifact requires Rosetta 2 but this is not indicated by the caveats!",
                      location: url.location
          end
+        elsif mentions_rosetta
+          add_error "No artifacts require Rosetta 2 but the caveats say otherwise!",
+                    location: url.location
        end
      end
    end