admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

cask: replace unsigned deprecation reason with fails_gatekeeper_check

Browse Source
This commit is contained in:
Bevan Kay 2025-08-13 00:13:57 +10:00
parent 24057cc9a5
commit 97b1683466
No known key found for this signature in database
GPG Key ID: C55CB024B5314B57
6 changed files with 27 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Library/Homebrew/cask/audit.rb
View File

@ -500,7 +500,7 @@ module Cask
return if url.nil? return if url.nil?
return if !cask.tap.official? && !signing? return if !cask.tap.official? && !signing?
return if cask.deprecated? && cask.deprecation_reason != :unsigned return if cask.deprecated? && cask.deprecation_reason != :fails_gatekeeper_check
unless Quarantine.available? unless Quarantine.available?
odebug "Quarantine support is not available, skipping signing audit" odebug "Quarantine support is not available, skipping signing audit"
@ -544,7 +544,7 @@ module Cask
end end
next false if result.success? next false if result.success?
next true if cask.deprecated? && cask.deprecation_reason == :unsigned next true if cask.deprecated? && cask.deprecation_reason == :fails_gatekeeper_check
next true if is_in_skiplist next true if is_in_skiplist
add_error <<~EOS, location: url.location add_error <<~EOS, location: url.location
@ -562,10 +562,10 @@ module Cask
add_error "Cask is in the signing audit skiplist, but does not need to be skipped!" if is_in_skiplist add_error "Cask is in the signing audit skiplist, but does not need to be skipped!" if is_in_skiplist
return unless cask.deprecated? return unless cask.deprecated?
return if cask.deprecation_reason != :unsigned return if cask.deprecation_reason != :fails_gatekeeper_check
add_error <<~EOS add_error <<~EOS
Cask is deprecated as unsigned but all artifacts are signed! Cask is deprecated because it failed Gatekeeper checks but all artifacts now pass!
Remove the deprecate/disable stanza or update the deprecate/disable reason. Remove the deprecate/disable stanza or update the deprecate/disable reason.
EOS EOS
end end

2
Library/Homebrew/deprecate_disable.rb
View File

@ -27,6 +27,8 @@ module DeprecateDisable
no_longer_available: "is no longer available upstream", no_longer_available: "is no longer available upstream",
no_longer_meets_criteria: "no longer meets the criteria for acceptable casks", no_longer_meets_criteria: "no longer meets the criteria for acceptable casks",
unmaintained: "is not maintained upstream", unmaintained: "is not maintained upstream",
fails_gatekeeper_check: "does not pass macOS Gatekeeper check",
# odeprecate: remove the unsigned reason in a future release
unsigned: "is unsigned or does not meet signature requirements", unsigned: "is unsigned or does not meet signature requirements",
}.freeze, T::Hash[Symbol, String]) }.freeze, T::Hash[Symbol, String])

2
Library/Homebrew/livecheck/skip_conditions.rb
View File

@ -120,7 +120,7 @@ module Homebrew
} }
private_class_method def self.cask_deprecated(cask, livecheck_defined, full_name: false, verbose: false) private_class_method def self.cask_deprecated(cask, livecheck_defined, full_name: false, verbose: false)
return {} if !cask.deprecated? || livecheck_defined return {} if !cask.deprecated? || livecheck_defined
return {} if cask.disable_date && cask.deprecation_reason == :unsigned return {} if cask.disable_date && cask.deprecation_reason == :fails_gatekeeper_check
Livecheck.status_hash(cask, "deprecated", full_name:, verbose:) Livecheck.status_hash(cask, "deprecated", full_name:, verbose:)
end end

2
Library/Homebrew/tap.rb
View File

@ -1038,7 +1038,7 @@ class Tap
@autobump ||= T.let(autobump_packages.select do |_, p| @autobump ||= T.let(autobump_packages.select do |_, p|
next if p["disabled"] next if p["disabled"]
next if p["deprecated"] && p["deprecation_reason"] != "unsigned" next if p["deprecated"] && p["deprecation_reason"] != "fails_gatekeeper_check"
next if p["skip_livecheck"] next if p["skip_livecheck"]
p["autobump"] == true p["autobump"] == true

13
Library/Homebrew/test/livecheck/skip_conditions_spec.rb
View File

@ -114,15 +114,15 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
disable! date: "2020-06-25", because: :discontinued disable! date: "2020-06-25", because: :discontinued
end, end,
future_disable_unsigned: Cask::Cask.new("test_future_disable_unsigned") do future_disable_fails_gatekeeper_check: Cask::Cask.new("test_future_disable_fails_gatekeeper_check") do
version "0.0.1" version "0.0.1"
url "https://brew.sh/test-#{version}.tgz" url "https://brew.sh/test-#{version}.tgz"
name "Test Future Disabled Unsigned" name "Test Future Disabled Fails Gatekeeper Check"
desc "Future Disable Unsigned test cask" desc "Future Disable Fails Gatekeeper Check test cask"
homepage "https://brew.sh" homepage "https://brew.sh"
disable! date: "3000-06-25", because: :unsigned disable! date: "3000-06-25", because: :fails_gatekeeper_check
end, end,
extract_plist: Cask::Cask.new("test_extract_plist_skip") do extract_plist: Cask::Cask.new("test_extract_plist_skip") do
version "0.0.1" version "0.0.1"
@ -384,9 +384,10 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
end end
end end
context "when a cask without a `livecheck` block is deprecated with a future disable date because `:unsigned`" do context "when a cask without a `livecheck` block is deprecated" \
"with a future disable date because `:fails_gatekeeper_check`" do
it "does not skip" do it "does not skip" do
expect(skip_conditions.skip_information(casks[:future_disable_unsigned])).to eq({}) expect(skip_conditions.skip_information(casks[:future_disable_fails_gatekeeper_check])).to eq({})
end end
end end

7
docs/Deprecating-Disabling-and-Removing-Casks.md
View File

@ -20,11 +20,12 @@ If a user attempts to install a deprecated cask, they will be shown a warning me
A cask should be deprecated to indicate to users that the cask should not be used and will be disabled in the future. Deprecated casks should continue to be maintained by the Homebrew maintainers if they continue to be installable. If this is not possible, they should be immediately disabled. A cask should be deprecated to indicate to users that the cask should not be used and will be disabled in the future. Deprecated casks should continue to be maintained by the Homebrew maintainers if they continue to be installable. If this is not possible, they should be immediately disabled.
The most common reasons for deprecation are when the upstream project is unsigned, deprecated, unmaintained or archived. The most common reasons for deprecation are when the upstream project is deprecated, unmaintained or archived,
or the software does not pass macOS Gatekeeper checks.
Casks should only be deprecated if at least one of the following are true: Casks should only be deprecated if at least one of the following are true:
- the software installed by the cask is unsigned or does not meet signature requirements for supported OS versions - the software installed by the cask fails macOS Gatekeeper checks for supported OS versions
- the software installed by the cask cannot be run on any supported OS versions - the software installed by the cask cannot be run on any supported OS versions
- the software installed by the cask has outstanding CVEs - the software installed by the cask has outstanding CVEs
- the software installed by the cask has been discontinued or abandoned upstream - the software installed by the cask has been discontinued or abandoned upstream
@ -96,7 +97,7 @@ There are two ways to indicate the reason. The preferred way is to use a pre-exi
- `:no_longer_available`: the cask is no longer available upstream - `:no_longer_available`: the cask is no longer available upstream
- `:no_longer_meets_criteria`: the cask no longer meets the criteria for acceptable casks - `:no_longer_meets_criteria`: the cask no longer meets the criteria for acceptable casks
- `:unmaintained`: the cask is not maintained upstream - `:unmaintained`: the cask is not maintained upstream
- `:unsigned`: the cask is unsigned or does not meet signature requirements - `:fails_gatekeeper_check`: the cask fails macOS Gatekeeper checks
These reasons can be specified by their symbols (the comments show the message that will be displayed to users): These reasons can be specified by their symbols (the comments show the message that will be displayed to users):