From d0ad96a9b343e4a3c121c7291419e78356a5ee49 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 Aug 2025 03:31:30 +0000 Subject: [PATCH 1/2] Fix audit_signing to check quarantine availability and attributes Co-authored-by: bevanjkay <40621599+bevanjkay@users.noreply.github.com> --- Library/Homebrew/cask/audit.rb | 13 ++++++++++++ Library/Homebrew/test/cask/audit_spec.rb | 26 ++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index e27a04ca0f..2b46582f1a 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -4,6 +4,7 @@ require "cask/denylist" require "cask/download" require "cask/installer" +require "cask/quarantine" require "digest" require "livecheck/livecheck" require "source_location" @@ -501,6 +502,12 @@ module Cask return if !cask.tap.official? && !signing? return if cask.deprecated? && cask.deprecation_reason != :unsigned + # Check if quarantine support is available + unless Quarantine.available? + odebug "Quarantine support is not available, skipping signing audit" + return + end + odebug "Auditing signing" is_in_skiplist = cask.tap&.audit_exception(:signing_audit_skiplist, cask.token) @@ -515,6 +522,12 @@ module Cask path = tmpdir/artifact_path.relative_path_from(cask.staged_path) + # Check if the artifact has quarantine attributes + unless Quarantine.detect(path) + odebug "#{path} does not have quarantine attributes, skipping signing audit" + next false + end + result = case artifact when Artifact::Pkg system_command("spctl", args: ["--assess", "--type", "install", path], print_stderr: false) diff --git a/Library/Homebrew/test/cask/audit_spec.rb b/Library/Homebrew/test/cask/audit_spec.rb index 04f52dc4de..7ee1cf489c 100644 --- a/Library/Homebrew/test/cask/audit_spec.rb +++ b/Library/Homebrew/test/cask/audit_spec.rb @@ -453,6 +453,7 @@ RSpec.describe Cask::Audit, :cask do describe "signing checks" do let(:only) { ["signing"] } + let(:tap) { CoreCaskTap.instance } let(:download_double) { instance_double(Cask::Download) } let(:unpack_double) { instance_double(UnpackStrategy::Zip) } @@ -495,6 +496,31 @@ RSpec.describe Cask::Audit, :cask do expect(run).not_to error_with(/Audit\.app/) end end + + context "when quarantine support is not available" do + let(:cask) do + tmp_cask "signing-cask-test", <<~RUBY + cask 'signing-cask-test' do + version '1.0' + url "https://brew.sh/" + app 'Audit.app' + end + RUBY + end + + before do + allow(cask).to receive(:tap).and_return(tap) + + allow(Cask::Quarantine).to receive(:available?).and_return(false) + end + + it "skips signing audit with warning" do + allow(cask).to receive(:tap).and_return(tap) + + expect(audit).to receive(:odebug).with("Quarantine support is not available, skipping signing audit") + expect(run).not_to error_with(/Signature verification failed/) + end + end end describe "livecheck should be skipped", :no_api do From 51565f97ae106ed12863ec4de61cb353b1772492 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 Aug 2025 09:30:23 +0000 Subject: [PATCH 2/2] Remove unnecessary comments that duplicate debug messages Co-authored-by: MikeMcQuaid <125011+MikeMcQuaid@users.noreply.github.com> --- Library/Homebrew/cask/audit.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index 2b46582f1a..3d8feb3c54 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -502,7 +502,6 @@ module Cask return if !cask.tap.official? && !signing? return if cask.deprecated? && cask.deprecation_reason != :unsigned - # Check if quarantine support is available unless Quarantine.available? odebug "Quarantine support is not available, skipping signing audit" return @@ -522,7 +521,6 @@ module Cask path = tmpdir/artifact_path.relative_path_from(cask.staged_path) - # Check if the artifact has quarantine attributes unless Quarantine.detect(path) odebug "#{path} does not have quarantine attributes, skipping signing audit" next false