admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

cask/audit: iterate over artifacts in rosetta/signing audit

Browse Source
This commit is contained in:
Bevan Kay 2025-08-11 12:37:44 +10:00
parent dbe68ef80c
commit 34f659cb64
No known key found for this signature in database
GPG Key ID: C55CB024B5314B57
1 changed files with 29 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
Library/Homebrew/cask/audit.rb
View File

@ -505,8 +505,8 @@ module Cask
extract_artifacts do |artifacts, tmpdir| extract_artifacts do |artifacts, tmpdir|
is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) } is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }
artifacts.each do |artifact| any_signing_failure = artifacts.any? do |artifact|
next if artifact.is_a?(Artifact::Binary) && is_container == true next false if artifact.is_a?(Artifact::Binary) && is_container == true
artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source
@ -521,7 +521,7 @@ module Cask
system_command("gktool", args: ["scan", path], print_stderr: false) system_command("gktool", args: ["scan", path], print_stderr: false)
when Artifact::Binary when Artifact::Binary
# Shell scripts cannot be signed, so we skip them # Shell scripts cannot be signed, so we skip them
next if path.text_executable? next false if path.text_executable?
system_command("codesign", args: ["--verify", "-R=notarized", "--check-notarization", path], system_command("codesign", args: ["--verify", "-R=notarized", "--check-notarization", path],
print_stderr: false) print_stderr: false)
@ -529,13 +529,8 @@ module Cask
add_error "Unknown artifact type: #{artifact.class}", location: url.location add_error "Unknown artifact type: #{artifact.class}", location: url.location
end end
if result.success? && cask.deprecated? && cask.deprecation_reason == :unsigned next false if result.success?
add_error "Cask is deprecated as unsigned but artifacts are signed!" next true if cask.deprecated? && cask.deprecation_reason == :unsigned
end
next if cask.deprecated? && cask.deprecation_reason == :unsigned
next if result.success?
add_error <<~EOS, location: url.location add_error <<~EOS, location: url.location
Signature verification failed: Signature verification failed:
@ -543,6 +538,15 @@ module Cask
macOS on ARM requires software to be signed. macOS on ARM requires software to be signed.
Please contact the upstream developer to let them know they should sign and notarize their software. Please contact the upstream developer to let them know they should sign and notarize their software.
EOS EOS
true
end
if cask.deprecated? && cask.deprecation_reason == :unsigned && !any_signing_failure
add_error <<~EOS
Cask is deprecated as unsigned but all artifacts are signed!
Remove the deprecate/disable stanza or update the deprecate/disable reason.
EOS
end end
end end
end end
@ -640,9 +644,12 @@ module Cask
extract_artifacts do |artifacts, tmpdir| extract_artifacts do |artifacts, tmpdir|
is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) } is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }
artifacts.each do |artifact| mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
next if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary) requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
next if artifact.is_a?(Artifact::Binary) && is_container
any_requires_rosetta = artifacts.any? do |artifact|
next false if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary)
next false if artifact.is_a?(Artifact::Binary) && is_container
path = tmpdir/artifact.source.relative_path_from(cask.staged_path) path = tmpdir/artifact.source.relative_path_from(cask.staged_path)
@ -665,7 +672,7 @@ module Cask
end end
# binary stanza can contain shell scripts, so we just continue if lipo fails. # binary stanza can contain shell scripts, so we just continue if lipo fails.
next unless result.success? next false unless result.success?
odebug "Architectures: #{result.merged_output}" odebug "Architectures: #{result.merged_output}"
@ -675,17 +682,17 @@ module Cask
next next
end end
supports_arm = result.merged_output.include?("arm64") next true if result.merged_output.exclude?("arm64") && result.merged_output.include?("x86_64")
mentions_rosetta = cask.caveats.include?("requires Rosetta 2") end
requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
if supports_arm && mentions_rosetta if any_requires_rosetta
add_error "Artifacts do not require Rosetta 2 but the caveats say otherwise!", if !mentions_rosetta && !requires_intel
location: url.location add_error "At least one artifact requires Rosetta 2 but this is not indicated by the caveats!",
elsif !supports_arm && !mentions_rosetta && !requires_intel
add_error "Artifacts require Rosetta 2 but this is not indicated by the caveats!",
location: url.location location: url.location
end end
elsif mentions_rosetta
add_error "No artifacts require Rosetta 2 but the caveats say otherwise!",
location: url.location
end end
end end
end end