admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #20455 from Homebrew/copilot/fix-20454

Browse Source 
Fix audit_signing to skip when quarantine attribute is missing
This commit is contained in:
Mike McQuaid 2025-08-14 09:45:36 +00:00 committed by GitHub
commit 7634fe375e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Library/Homebrew/cask/audit.rb
View File

@ -4,6 +4,7 @@
require "cask/denylist" require "cask/denylist"
require "cask/download" require "cask/download"
require "cask/installer" require "cask/installer"
require "cask/quarantine"
require "digest" require "digest"
require "livecheck/livecheck" require "livecheck/livecheck"
require "source_location" require "source_location"
@ -501,6 +502,11 @@ module Cask
return if !cask.tap.official? && !signing? return if !cask.tap.official? && !signing?
return if cask.deprecated? && cask.deprecation_reason != :unsigned return if cask.deprecated? && cask.deprecation_reason != :unsigned
unless Quarantine.available?
odebug "Quarantine support is not available, skipping signing audit"
return
end
odebug "Auditing signing" odebug "Auditing signing"
is_in_skiplist = cask.tap&.audit_exception(:signing_audit_skiplist, cask.token) is_in_skiplist = cask.tap&.audit_exception(:signing_audit_skiplist, cask.token)
@ -515,6 +521,11 @@ module Cask
path = tmpdir/artifact_path.relative_path_from(cask.staged_path) path = tmpdir/artifact_path.relative_path_from(cask.staged_path)
unless Quarantine.detect(path)
odebug "#{path} does not have quarantine attributes, skipping signing audit"
next false
end
result = case artifact result = case artifact
when Artifact::Pkg when Artifact::Pkg
system_command("spctl", args: ["--assess", "--type", "install", path], print_stderr: false) system_command("spctl", args: ["--assess", "--type", "install", path], print_stderr: false)

26
Library/Homebrew/test/cask/audit_spec.rb
View File

@ -453,6 +453,7 @@ RSpec.describe Cask::Audit, :cask do
describe "signing checks" do describe "signing checks" do
let(:only) { ["signing"] } let(:only) { ["signing"] }
let(:tap) { CoreCaskTap.instance }
let(:download_double) { instance_double(Cask::Download) } let(:download_double) { instance_double(Cask::Download) }
let(:unpack_double) { instance_double(UnpackStrategy::Zip) } let(:unpack_double) { instance_double(UnpackStrategy::Zip) }
@ -495,6 +496,31 @@ RSpec.describe Cask::Audit, :cask do
expect(run).not_to error_with(/Audit\.app/) expect(run).not_to error_with(/Audit\.app/)
end end
end end
context "when quarantine support is not available" do
let(:cask) do
tmp_cask "signing-cask-test", <<~RUBY
cask 'signing-cask-test' do
version '1.0'
url "https://brew.sh/"
app 'Audit.app'
end
RUBY
end
before do
allow(cask).to receive(:tap).and_return(tap)
allow(Cask::Quarantine).to receive(:available?).and_return(false)
end
it "skips signing audit with warning" do
allow(cask).to receive(:tap).and_return(tap)
expect(audit).to receive(:odebug).with("Quarantine support is not available, skipping signing audit")
expect(run).not_to error_with(/Signature verification failed/)
end
end
end end
describe "livecheck should be skipped", :no_api do describe "livecheck should be skipped", :no_api do