From c5786ea79953ec277ad2f59909dc059feda42024 Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 21 Feb 2023 16:48:19 +0100 Subject: [PATCH 1/2] cask: audit for correct signing of pkg installers --- Library/Homebrew/cask/audit.rb | 52 +++++++++++++++++++++------------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index 3b128a07a3..db58ee005a 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -491,29 +491,43 @@ module Cask Dir.mktmpdir do |tmpdir| tmpdir = Pathname(tmpdir) primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false) + + message = "Signature verification failed:\n#{result.merged_output}\nmacOS on ARM requires applications " \ + "to be signed. Please contact the upstream developer to let them know they should " + artifacts.each do |artifact| - path = case artifact + case artifact when Artifact::Moved - tmpdir/artifact.source.basename + path = tmpdir/artifact.source.basename + next unless path.exist? + + result = system_command("codesign", args: ["--verify", path], print_stderr: false) + + next if result.success? + + message += if result.stderr.include?("not signed at all") + "sign their app." + else + "fix the signature of their app." + end + + add_warning message when Artifact::Pkg - artifact.path + path = artifact.path + next unless path.exist? + + result = system_command("pkgutil", args: ["--check-signature", path], print_stderr: false) + if result.failure? + add_warning "#{message} sign their package." + next + end + + result = system_command("stapler", args: ["validate", path], print_stderr: false) + if result.failure? + add_warning "#{message} notarize their package." + next + end end - next unless path.exist? - - result = system_command("codesign", args: ["--verify", path], print_stderr: false) - - next if result.success? - - message = "Signature verification failed:\n#{result.merged_output}\nmacOS on ARM requires applications " \ - "to be signed. Please contact the upstream developer to let them know they should " - - message += if result.stderr.include?("not signed at all") - "sign their app." - else - "fix the signature of their app." - end - - add_warning message end end end From 4dcf5f0ad76fe328737d5530e9a52c69724615d3 Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 21 Feb 2023 19:29:05 +0100 Subject: [PATCH 2/2] cask: audit style fixes Co-authored-by: Mike McQuaid --- Library/Homebrew/cask/audit.rb | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index db58ee005a..4dc858078e 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -492,8 +492,12 @@ module Cask tmpdir = Pathname(tmpdir) primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false) - message = "Signature verification failed:\n#{result.merged_output}\nmacOS on ARM requires applications " \ - "to be signed. Please contact the upstream developer to let them know they should " + message = <<~EOS + Signature verification failed: + #{result.merged_output} + macOS on ARM requires applications to be signed. + Please contact the upstream developer to let them know they should + EOS artifacts.each do |artifact| case artifact @@ -505,10 +509,10 @@ module Cask next if result.success? - message += if result.stderr.include?("not signed at all") - "sign their app." + message = if result.stderr.include?("not signed at all") + "#{message} sign their app." else - "fix the signature of their app." + "#{message} fix the signature of their app." end add_warning message