Merge pull request #14747 from SMillerDev/feat/cask/audit_pkg_signing

cask: audit for correct signing of pkg installers
2023-02-22 13:33:10 +01:00 · 2023-02-22 13:33:10 +01:00 · 6d3b38c93a
commit 6d3b38c93a
parent 688d473a59 4dcf5f0ad7
1 changed files with 37 additions and 19 deletions
--- a/Library/Homebrew/cask/audit.rb
+++ b/Library/Homebrew/cask/audit.rb
@ -491,29 +491,47 @@ module Cask
      Dir.mktmpdir do |tmpdir|
        tmpdir = Pathname(tmpdir)
        primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false)
+
+        message = <<~EOS
+          Signature verification failed:
+          #{result.merged_output}
+          macOS on ARM requires applications to be signed.
+          Please contact the upstream developer to let them know they should
+        EOS
+
        artifacts.each do |artifact|
-          path = case artifact
+          case artifact
          when Artifact::Moved
-            tmpdir/artifact.source.basename
+            path = tmpdir/artifact.source.basename
+            next unless path.exist?
+
+            result = system_command("codesign", args: ["--verify", path], print_stderr: false)
+
+            next if result.success?
+
+            message = if result.stderr.include?("not signed at all")
+              "#{message} sign their app."
+            else
+              "#{message} fix the signature of their app."
+            end
+
+            add_warning message
          when Artifact::Pkg
-            artifact.path
+            path = artifact.path
+            next unless path.exist?
+
+            result = system_command("pkgutil", args: ["--check-signature", path], print_stderr: false)
+            if result.failure?
+              add_warning "#{message} sign their package."
+              next
+            end
+
+            result = system_command("stapler", args: ["validate", path], print_stderr: false)
+            if result.failure?
+              add_warning "#{message} notarize their package."
+              next
+            end
          end
-          next unless path.exist?
-
-          result = system_command("codesign", args: ["--verify", path], print_stderr: false)
-
-          next if result.success?
-
-          message = "Signature verification failed:\n#{result.merged_output}\nmacOS on ARM requires applications " \
-                    "to be signed. Please contact the upstream developer to let them know they should "
-
-          message += if result.stderr.include?("not signed at all")
-            "sign their app."
-          else
-            "fix the signature of their app."
-          end
-
-          add_warning message
        end
      end
    end