audit.rb: Check for signature with sptcl
This commit is contained in:
Vítor Galvão
Vítor Galvão
parent
688b732ea0
commit
654859c25f
@ -474,58 +474,24 @@ module Cask
|
|||||||
primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false)
|
primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false)
|
||||||
|
|
||||||
artifacts.each do |artifact|
|
artifacts.each do |artifact|
|
||||||
case artifact
|
artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source
|
||||||
when Artifact::Moved
|
path = tmpdir/artifact_path.relative_path_from(cask.staged_path)
|
||||||
path = tmpdir/artifact.source.relative_path_from(cask.staged_path)
|
|
||||||
next unless path.exist?
|
next unless path.exist?
|
||||||
|
|
||||||
result = system_command("codesign", args: ["--verify", path], print_stderr: false)
|
result = system_command("spctl", args: ["--assess", "--type", "install", path], print_stderr: false)
|
||||||
|
|
||||||
next if result.success?
|
next if result.success?
|
||||||
|
|
||||||
message = <<~EOS
|
|
||||||
Signature verification failed:
|
|
||||||
#{result.merged_output}
|
|
||||||
macOS on ARM requires applications to be signed.
|
|
||||||
Please contact the upstream developer to let them know they should
|
|
||||||
EOS
|
|
||||||
|
|
||||||
message = if result.stderr.include?("not signed at all")
|
|
||||||
"#{message} sign their app."
|
|
||||||
else
|
|
||||||
"#{message} fix the signature of their app."
|
|
||||||
end
|
|
||||||
|
|
||||||
add_error(message, strict_only: true)
|
|
||||||
when Artifact::Pkg
|
|
||||||
path = tmpdir/artifact.path.relative_path_from(cask.staged_path)
|
|
||||||
next unless path.exist?
|
|
||||||
|
|
||||||
result = system_command("pkgutil", args: ["--check-signature", path], print_stderr: false)
|
|
||||||
|
|
||||||
unless result.success?
|
|
||||||
add_error(<<~EOS, strict_only: true)
|
|
||||||
Signature verification failed:
|
|
||||||
#{result.merged_output}
|
|
||||||
macOS on ARM requires applications to be signed.
|
|
||||||
Please contact the upstream developer to let them know they should sign their package.
|
|
||||||
EOS
|
|
||||||
next
|
|
||||||
end
|
|
||||||
|
|
||||||
result = system_command("stapler", args: ["validate", path], print_stderr: false)
|
|
||||||
next if result.success?
|
|
||||||
|
|
||||||
add_error(<<~EOS, strict_only: true)
|
add_error(<<~EOS, strict_only: true)
|
||||||
Signature verification failed:
|
Signature verification failed:
|
||||||
#{result.merged_output}
|
#{result.merged_output}
|
||||||
macOS on ARM requires applications to be signed.
|
macOS on ARM requires software to be signed.
|
||||||
Please contact the upstream developer to let them know they should notarize their package.
|
Please contact the upstream developer to let them know they should sign and notarize their software.
|
||||||
EOS
|
EOS
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
sig { returns(T.any(NilClass, T::Boolean, Symbol)) }
|
sig { returns(T.any(NilClass, T::Boolean, Symbol)) }
|
||||||
def audit_livecheck_version
|
def audit_livecheck_version
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user