admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

cask: replace unsigned deprecation reason with fails_gatekeeper_check

Browse Source
This commit is contained in:
Bevan Kay 2025-08-13 00:13:57 +10:00
parent 24057cc9a5
commit 97b1683466
No known key found for this signature in database
GPG Key ID: C55CB024B5314B57
6 changed files with 27 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Library/Homebrew/cask/audit.rb
View File

@ -500,7 +500,7 @@ module Cask
return if url.nil?
return if !cask.tap.official? && !signing?
return if cask.deprecated? && cask.deprecation_reason != :unsigned
return if cask.deprecated? && cask.deprecation_reason != :fails_gatekeeper_check
unless Quarantine.available?
odebug "Quarantine support is not available, skipping signing audit"
@ -544,7 +544,7 @@ module Cask
end
next false if result.success?
next true if cask.deprecated? && cask.deprecation_reason == :unsigned
next true if cask.deprecated? && cask.deprecation_reason == :fails_gatekeeper_check
next true if is_in_skiplist
add_error <<~EOS, location: url.location
@ -562,10 +562,10 @@ module Cask
add_error "Cask is in the signing audit skiplist, but does not need to be skipped!" if is_in_skiplist
return unless cask.deprecated?
return if cask.deprecation_reason != :unsigned
return if cask.deprecation_reason != :fails_gatekeeper_check
add_error <<~EOS
Cask is deprecated as unsigned but all artifacts are signed!
Cask is deprecated because it failed Gatekeeper checks but all artifacts now pass!
Remove the deprecate/disable stanza or update the deprecate/disable reason.
EOS
end

2
Library/Homebrew/deprecate_disable.rb
View File

@ -27,6 +27,8 @@ module DeprecateDisable
no_longer_available: "is no longer available upstream",
no_longer_meets_criteria: "no longer meets the criteria for acceptable casks",
unmaintained: "is not maintained upstream",
fails_gatekeeper_check: "does not pass macOS Gatekeeper check",
# odeprecate: remove the unsigned reason in a future release
unsigned: "is unsigned or does not meet signature requirements",
}.freeze, T::Hash[Symbol, String])

2
Library/Homebrew/livecheck/skip_conditions.rb
View File

@ -120,7 +120,7 @@ module Homebrew
}
private_class_method def self.cask_deprecated(cask, livecheck_defined, full_name: false, verbose: false)
return {} if !cask.deprecated? || livecheck_defined
return {} if cask.disable_date && cask.deprecation_reason == :unsigned
return {} if cask.disable_date && cask.deprecation_reason == :fails_gatekeeper_check
Livecheck.status_hash(cask, "deprecated", full_name:, verbose:)
end

2
Library/Homebrew/tap.rb
View File

@ -1038,7 +1038,7 @@ class Tap
@autobump ||= T.let(autobump_packages.select do |_, p|
next if p["disabled"]
next if p["deprecated"] && p["deprecation_reason"] != "unsigned"
next if p["deprecated"] && p["deprecation_reason"] != "fails_gatekeeper_check"
next if p["skip_livecheck"]
p["autobump"] == true

29
Library/Homebrew/test/livecheck/skip_conditions_spec.rb
View File

@ -79,7 +79,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
let(:casks) do
{
basic: Cask::Cask.new("test") do
basic: Cask::Cask.new("test") do
version "0.0.1,2"
url "https://brew.sh/test-#{version.csv.first}.tgz"
@ -92,7 +92,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
regex(/"stable":"(\d+(?:\.\d+)+)"/i)
end
end,
deprecated: Cask::Cask.new("test_deprecated") do
deprecated: Cask::Cask.new("test_deprecated") do
version "0.0.1"
sha256 :no_check
@ -103,7 +103,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
deprecate! date: "2020-06-25", because: :discontinued
end,
disabled: Cask::Cask.new("test_disabled") do
disabled: Cask::Cask.new("test_disabled") do
version "0.0.1"
sha256 :no_check
@ -114,17 +114,17 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
disable! date: "2020-06-25", because: :discontinued
end,
future_disable_unsigned: Cask::Cask.new("test_future_disable_unsigned") do
future_disable_fails_gatekeeper_check: Cask::Cask.new("test_future_disable_fails_gatekeeper_check") do
version "0.0.1"
url "https://brew.sh/test-#{version}.tgz"
name "Test Future Disabled Unsigned"
desc "Future Disable Unsigned test cask"
name "Test Future Disabled Fails Gatekeeper Check"
desc "Future Disable Fails Gatekeeper Check test cask"
homepage "https://brew.sh"
disable! date: "3000-06-25", because: :unsigned
disable! date: "3000-06-25", because: :fails_gatekeeper_check
end,
extract_plist: Cask::Cask.new("test_extract_plist_skip") do
extract_plist: Cask::Cask.new("test_extract_plist_skip") do
version "0.0.1"
url "https://brew.sh/test-#{version}.tgz"
@ -136,7 +136,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
strategy :extract_plist
end
end,
latest: Cask::Cask.new("test_latest") do
latest: Cask::Cask.new("test_latest") do
version :latest
sha256 :no_check
@ -145,7 +145,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
desc "Latest test cask"
homepage "https://brew.sh"
end,
unversioned: Cask::Cask.new("test_unversioned") do
unversioned: Cask::Cask.new("test_unversioned") do
version "1.2.3"
sha256 :no_check
@ -154,7 +154,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
desc "Unversioned test cask"
homepage "https://brew.sh"
end,
skip: Cask::Cask.new("test_skip") do
skip: Cask::Cask.new("test_skip") do
version "0.0.1"
url "https://brew.sh/test-#{version}.tgz"
@ -166,7 +166,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
skip
end
end,
skip_with_message: Cask::Cask.new("test_skip_with_message") do
skip_with_message: Cask::Cask.new("test_skip_with_message") do
version "0.0.1"
url "https://brew.sh/test-#{version}.tgz"
@ -384,9 +384,10 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
end
end
context "when a cask without a `livecheck` block is deprecated with a future disable date because `:unsigned`" do
context "when a cask without a `livecheck` block is deprecated" \
"with a future disable date because `:fails_gatekeeper_check`" do
it "does not skip" do
expect(skip_conditions.skip_information(casks[:future_disable_unsigned])).to eq({})
expect(skip_conditions.skip_information(casks[:future_disable_fails_gatekeeper_check])).to eq({})
end
end

7
docs/Deprecating-Disabling-and-Removing-Casks.md
View File

@ -20,11 +20,12 @@ If a user attempts to install a deprecated cask, they will be shown a warning me
A cask should be deprecated to indicate to users that the cask should not be used and will be disabled in the future. Deprecated casks should continue to be maintained by the Homebrew maintainers if they continue to be installable. If this is not possible, they should be immediately disabled.
The most common reasons for deprecation are when the upstream project is unsigned, deprecated, unmaintained or archived.
The most common reasons for deprecation are when the upstream project is deprecated, unmaintained or archived,
or the software does not pass macOS Gatekeeper checks.
Casks should only be deprecated if at least one of the following are true:
- the software installed by the cask is unsigned or does not meet signature requirements for supported OS versions
- the software installed by the cask fails macOS Gatekeeper checks for supported OS versions
- the software installed by the cask cannot be run on any supported OS versions
- the software installed by the cask has outstanding CVEs
- the software installed by the cask has been discontinued or abandoned upstream
@ -96,7 +97,7 @@ There are two ways to indicate the reason. The preferred way is to use a pre-exi
- `:no_longer_available`: the cask is no longer available upstream
- `:no_longer_meets_criteria`: the cask no longer meets the criteria for acceptable casks
- `:unmaintained`: the cask is not maintained upstream
- `:unsigned`: the cask is unsigned or does not meet signature requirements
- `:fails_gatekeeper_check`: the cask fails macOS Gatekeeper checks
These reasons can be specified by their symbols (the comments show the message that will be displayed to users):