From 97b168346659672f1b63725ed13d95c483a3b50d Mon Sep 17 00:00:00 2001 From: Bevan Kay Date: Wed, 13 Aug 2025 00:13:57 +1000 Subject: [PATCH] cask: replace `unsigned` deprecation reason with `fails_gatekeeper_check` --- Library/Homebrew/cask/audit.rb | 8 ++--- Library/Homebrew/deprecate_disable.rb | 2 ++ Library/Homebrew/livecheck/skip_conditions.rb | 2 +- Library/Homebrew/tap.rb | 2 +- .../test/livecheck/skip_conditions_spec.rb | 29 ++++++++++--------- ...eprecating-Disabling-and-Removing-Casks.md | 7 +++-- 6 files changed, 27 insertions(+), 23 deletions(-) diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index 15ce7db195..7d076d3d83 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -500,7 +500,7 @@ module Cask return if url.nil? return if !cask.tap.official? && !signing? - return if cask.deprecated? && cask.deprecation_reason != :unsigned + return if cask.deprecated? && cask.deprecation_reason != :fails_gatekeeper_check unless Quarantine.available? odebug "Quarantine support is not available, skipping signing audit" @@ -544,7 +544,7 @@ module Cask end next false if result.success? - next true if cask.deprecated? && cask.deprecation_reason == :unsigned + next true if cask.deprecated? && cask.deprecation_reason == :fails_gatekeeper_check next true if is_in_skiplist add_error <<~EOS, location: url.location @@ -562,10 +562,10 @@ module Cask add_error "Cask is in the signing audit skiplist, but does not need to be skipped!" if is_in_skiplist return unless cask.deprecated? - return if cask.deprecation_reason != :unsigned + return if cask.deprecation_reason != :fails_gatekeeper_check add_error <<~EOS - Cask is deprecated as unsigned but all artifacts are signed! + Cask is deprecated because it failed Gatekeeper checks but all artifacts now pass! Remove the deprecate/disable stanza or update the deprecate/disable reason. EOS end diff --git a/Library/Homebrew/deprecate_disable.rb b/Library/Homebrew/deprecate_disable.rb index c09e95f30c..6ad32f21ab 100644 --- a/Library/Homebrew/deprecate_disable.rb +++ b/Library/Homebrew/deprecate_disable.rb @@ -27,6 +27,8 @@ module DeprecateDisable no_longer_available: "is no longer available upstream", no_longer_meets_criteria: "no longer meets the criteria for acceptable casks", unmaintained: "is not maintained upstream", + fails_gatekeeper_check: "does not pass macOS Gatekeeper check", + # odeprecate: remove the unsigned reason in a future release unsigned: "is unsigned or does not meet signature requirements", }.freeze, T::Hash[Symbol, String]) diff --git a/Library/Homebrew/livecheck/skip_conditions.rb b/Library/Homebrew/livecheck/skip_conditions.rb index a8212b3a08..9ead3ef057 100644 --- a/Library/Homebrew/livecheck/skip_conditions.rb +++ b/Library/Homebrew/livecheck/skip_conditions.rb @@ -120,7 +120,7 @@ module Homebrew } private_class_method def self.cask_deprecated(cask, livecheck_defined, full_name: false, verbose: false) return {} if !cask.deprecated? || livecheck_defined - return {} if cask.disable_date && cask.deprecation_reason == :unsigned + return {} if cask.disable_date && cask.deprecation_reason == :fails_gatekeeper_check Livecheck.status_hash(cask, "deprecated", full_name:, verbose:) end diff --git a/Library/Homebrew/tap.rb b/Library/Homebrew/tap.rb index 49b634ff66..76f40d5bbc 100644 --- a/Library/Homebrew/tap.rb +++ b/Library/Homebrew/tap.rb @@ -1038,7 +1038,7 @@ class Tap @autobump ||= T.let(autobump_packages.select do |_, p| next if p["disabled"] - next if p["deprecated"] && p["deprecation_reason"] != "unsigned" + next if p["deprecated"] && p["deprecation_reason"] != "fails_gatekeeper_check" next if p["skip_livecheck"] p["autobump"] == true diff --git a/Library/Homebrew/test/livecheck/skip_conditions_spec.rb b/Library/Homebrew/test/livecheck/skip_conditions_spec.rb index eeb755d1cb..203ea9752f 100644 --- a/Library/Homebrew/test/livecheck/skip_conditions_spec.rb +++ b/Library/Homebrew/test/livecheck/skip_conditions_spec.rb @@ -79,7 +79,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do let(:casks) do { - basic: Cask::Cask.new("test") do + basic: Cask::Cask.new("test") do version "0.0.1,2" url "https://brew.sh/test-#{version.csv.first}.tgz" @@ -92,7 +92,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do regex(/"stable":"(\d+(?:\.\d+)+)"/i) end end, - deprecated: Cask::Cask.new("test_deprecated") do + deprecated: Cask::Cask.new("test_deprecated") do version "0.0.1" sha256 :no_check @@ -103,7 +103,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do deprecate! date: "2020-06-25", because: :discontinued end, - disabled: Cask::Cask.new("test_disabled") do + disabled: Cask::Cask.new("test_disabled") do version "0.0.1" sha256 :no_check @@ -114,17 +114,17 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do disable! date: "2020-06-25", because: :discontinued end, - future_disable_unsigned: Cask::Cask.new("test_future_disable_unsigned") do + future_disable_fails_gatekeeper_check: Cask::Cask.new("test_future_disable_fails_gatekeeper_check") do version "0.0.1" url "https://brew.sh/test-#{version}.tgz" - name "Test Future Disabled Unsigned" - desc "Future Disable Unsigned test cask" + name "Test Future Disabled Fails Gatekeeper Check" + desc "Future Disable Fails Gatekeeper Check test cask" homepage "https://brew.sh" - disable! date: "3000-06-25", because: :unsigned + disable! date: "3000-06-25", because: :fails_gatekeeper_check end, - extract_plist: Cask::Cask.new("test_extract_plist_skip") do + extract_plist: Cask::Cask.new("test_extract_plist_skip") do version "0.0.1" url "https://brew.sh/test-#{version}.tgz" @@ -136,7 +136,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do strategy :extract_plist end end, - latest: Cask::Cask.new("test_latest") do + latest: Cask::Cask.new("test_latest") do version :latest sha256 :no_check @@ -145,7 +145,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do desc "Latest test cask" homepage "https://brew.sh" end, - unversioned: Cask::Cask.new("test_unversioned") do + unversioned: Cask::Cask.new("test_unversioned") do version "1.2.3" sha256 :no_check @@ -154,7 +154,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do desc "Unversioned test cask" homepage "https://brew.sh" end, - skip: Cask::Cask.new("test_skip") do + skip: Cask::Cask.new("test_skip") do version "0.0.1" url "https://brew.sh/test-#{version}.tgz" @@ -166,7 +166,7 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do skip end end, - skip_with_message: Cask::Cask.new("test_skip_with_message") do + skip_with_message: Cask::Cask.new("test_skip_with_message") do version "0.0.1" url "https://brew.sh/test-#{version}.tgz" @@ -384,9 +384,10 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do end end - context "when a cask without a `livecheck` block is deprecated with a future disable date because `:unsigned`" do + context "when a cask without a `livecheck` block is deprecated" \ + "with a future disable date because `:fails_gatekeeper_check`" do it "does not skip" do - expect(skip_conditions.skip_information(casks[:future_disable_unsigned])).to eq({}) + expect(skip_conditions.skip_information(casks[:future_disable_fails_gatekeeper_check])).to eq({}) end end diff --git a/docs/Deprecating-Disabling-and-Removing-Casks.md b/docs/Deprecating-Disabling-and-Removing-Casks.md index 90b03ebc37..b0b5a32b5f 100644 --- a/docs/Deprecating-Disabling-and-Removing-Casks.md +++ b/docs/Deprecating-Disabling-and-Removing-Casks.md @@ -20,11 +20,12 @@ If a user attempts to install a deprecated cask, they will be shown a warning me A cask should be deprecated to indicate to users that the cask should not be used and will be disabled in the future. Deprecated casks should continue to be maintained by the Homebrew maintainers if they continue to be installable. If this is not possible, they should be immediately disabled. -The most common reasons for deprecation are when the upstream project is unsigned, deprecated, unmaintained or archived. +The most common reasons for deprecation are when the upstream project is deprecated, unmaintained or archived, +or the software does not pass macOS Gatekeeper checks. Casks should only be deprecated if at least one of the following are true: -- the software installed by the cask is unsigned or does not meet signature requirements for supported OS versions +- the software installed by the cask fails macOS Gatekeeper checks for supported OS versions - the software installed by the cask cannot be run on any supported OS versions - the software installed by the cask has outstanding CVEs - the software installed by the cask has been discontinued or abandoned upstream @@ -96,7 +97,7 @@ There are two ways to indicate the reason. The preferred way is to use a pre-exi - `:no_longer_available`: the cask is no longer available upstream - `:no_longer_meets_criteria`: the cask no longer meets the criteria for acceptable casks - `:unmaintained`: the cask is not maintained upstream -- `:unsigned`: the cask is unsigned or does not meet signature requirements +- `:fails_gatekeeper_check`: the cask fails macOS Gatekeeper checks These reasons can be specified by their symbols (the comments show the message that will be displayed to users):