cask: replace unsigned deprecation reason with fails_gatekeeper_check

2025-08-13 00:13:57 +10:00 · 2025-08-13 00:13:57 +10:00 · 97b1683466
commit 97b1683466
parent 24057cc9a5
6 changed files with 27 additions and 23 deletions
--- a/Library/Homebrew/cask/audit.rb
+++ b/Library/Homebrew/cask/audit.rb
@ -500,7 +500,7 @@ module Cask
      return if url.nil?

      return if !cask.tap.official? && !signing?
-      return if cask.deprecated? && cask.deprecation_reason != :unsigned
+      return if cask.deprecated? && cask.deprecation_reason != :fails_gatekeeper_check

      unless Quarantine.available?
        odebug "Quarantine support is not available, skipping signing audit"
@ -544,7 +544,7 @@ module Cask
          end

          next false if result.success?
-          next true if cask.deprecated? && cask.deprecation_reason == :unsigned
+          next true if cask.deprecated? && cask.deprecation_reason == :fails_gatekeeper_check
          next true if is_in_skiplist

          add_error <<~EOS, location: url.location
@ -562,10 +562,10 @@ module Cask
        add_error "Cask is in the signing audit skiplist, but does not need to be skipped!" if is_in_skiplist

        return unless cask.deprecated?
-        return if cask.deprecation_reason != :unsigned
+        return if cask.deprecation_reason != :fails_gatekeeper_check

        add_error <<~EOS
-          Cask is deprecated as unsigned but all artifacts are signed!
+          Cask is deprecated because it failed Gatekeeper checks but all artifacts now pass!
          Remove the deprecate/disable stanza or update the deprecate/disable reason.
        EOS
      end
--- a/Library/Homebrew/deprecate_disable.rb
+++ b/Library/Homebrew/deprecate_disable.rb
@ -27,6 +27,8 @@ module DeprecateDisable
    no_longer_available:      "is no longer available upstream",
    no_longer_meets_criteria: "no longer meets the criteria for acceptable casks",
    unmaintained:             "is not maintained upstream",
+    fails_gatekeeper_check:   "does not pass macOS Gatekeeper check",
+    # odeprecate: remove the unsigned reason in a future release
    unsigned:                 "is unsigned or does not meet signature requirements",
  }.freeze, T::Hash[Symbol, String])

--- a/Library/Homebrew/livecheck/skip_conditions.rb
+++ b/Library/Homebrew/livecheck/skip_conditions.rb
@ -120,7 +120,7 @@ module Homebrew
      }
      private_class_method def self.cask_deprecated(cask, livecheck_defined, full_name: false, verbose: false)
        return {} if !cask.deprecated? || livecheck_defined
-        return {} if cask.disable_date && cask.deprecation_reason == :unsigned
+        return {} if cask.disable_date && cask.deprecation_reason == :fails_gatekeeper_check

        Livecheck.status_hash(cask, "deprecated", full_name:, verbose:)
      end
--- a/Library/Homebrew/tap.rb
+++ b/Library/Homebrew/tap.rb
@ -1038,7 +1038,7 @@ class Tap

    @autobump ||= T.let(autobump_packages.select do |_, p|
      next if p["disabled"]
-      next if p["deprecated"] && p["deprecation_reason"] != "unsigned"
+      next if p["deprecated"] && p["deprecation_reason"] != "fails_gatekeeper_check"
      next if p["skip_livecheck"]

      p["autobump"] == true
--- a/Library/Homebrew/test/livecheck/skip_conditions_spec.rb
+++ b/Library/Homebrew/test/livecheck/skip_conditions_spec.rb
@ -114,15 +114,15 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do

        disable! date: "2020-06-25", because: :discontinued
      end,
-      future_disable_unsigned: Cask::Cask.new("test_future_disable_unsigned") do
+      future_disable_fails_gatekeeper_check: Cask::Cask.new("test_future_disable_fails_gatekeeper_check") do
        version "0.0.1"

        url "https://brew.sh/test-#{version}.tgz"
-        name "Test Future Disabled Unsigned"
-        desc "Future Disable Unsigned test cask"
+        name "Test Future Disabled Fails Gatekeeper Check"
+        desc "Future Disable Fails Gatekeeper Check test cask"
        homepage "https://brew.sh"

-        disable! date: "3000-06-25", because: :unsigned
+        disable! date: "3000-06-25", because: :fails_gatekeeper_check
      end,
      extract_plist:                         Cask::Cask.new("test_extract_plist_skip") do
        version "0.0.1"
@ -384,9 +384,10 @@ RSpec.describe Homebrew::Livecheck::SkipConditions do
      end
    end

-    context "when a cask without a `livecheck` block is deprecated with a future disable date because `:unsigned`" do
+    context "when a cask without a `livecheck` block is deprecated" \
+            "with a future disable date because `:fails_gatekeeper_check`" do
      it "does not skip" do
-        expect(skip_conditions.skip_information(casks[:future_disable_unsigned])).to eq({})
+        expect(skip_conditions.skip_information(casks[:future_disable_fails_gatekeeper_check])).to eq({})
      end
    end

--- a/docs/Deprecating-Disabling-and-Removing-Casks.md
+++ b/docs/Deprecating-Disabling-and-Removing-Casks.md
@ -20,11 +20,12 @@ If a user attempts to install a deprecated cask, they will be shown a warning me

 A cask should be deprecated to indicate to users that the cask should not be used and will be disabled in the future. Deprecated casks should continue to be maintained by the Homebrew maintainers if they continue to be installable. If this is not possible, they should be immediately disabled.

-The most common reasons for deprecation are when the upstream project is unsigned, deprecated, unmaintained or archived.
+The most common reasons for deprecation are when the upstream project is deprecated, unmaintained or archived,
+or the software does not pass macOS Gatekeeper checks.

 Casks should only be deprecated if at least one of the following are true:

- the software installed by the cask is unsigned or does not meet signature requirements for supported OS versions
+- the software installed by the cask fails macOS Gatekeeper checks for supported OS versions
 - the software installed by the cask cannot be run on any supported OS versions
 - the software installed by the cask has outstanding CVEs
 - the software installed by the cask has been discontinued or abandoned upstream
@ -96,7 +97,7 @@ There are two ways to indicate the reason. The preferred way is to use a pre-exi
 - `:no_longer_available`: the cask is no longer available upstream
 - `:no_longer_meets_criteria`: the cask no longer meets the criteria for acceptable casks
 - `:unmaintained`: the cask is not maintained upstream
- `:unsigned`: the cask is unsigned or does not meet signature requirements
+- `:fails_gatekeeper_check`: the cask fails macOS Gatekeeper checks

 These reasons can be specified by their symbols (the comments show the message that will be displayed to users):