admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #15219 from vitorgalvao/patch-1

Browse Source 
audit.rb: Check for signature with sptcl
This commit is contained in:
Markus Reiter 2023-04-15 12:40:28 +02:00 committed by GitHub
commit ad3d207172
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Library/Homebrew/cask/audit.rb
View File

@ -474,58 +474,24 @@ module Cask
primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false) primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false)
artifacts.each do |artifact| artifacts.each do |artifact|
case artifact artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source
when Artifact::Moved path = tmpdir/artifact_path.relative_path_from(cask.staged_path)
path = tmpdir/artifact.source.relative_path_from(cask.staged_path)
next unless path.exist? next unless path.exist?
result = system_command("codesign", args: ["--verify", path], print_stderr: false) result = system_command("spctl", args: ["--assess", "--type", "install", path], print_stderr: false)
next if result.success? next if result.success?
message = <<~EOS
Signature verification failed:
#{result.merged_output}
macOS on ARM requires applications to be signed.
Please contact the upstream developer to let them know they should
EOS
message = if result.stderr.include?("not signed at all")
"#{message} sign their app."
else
"#{message} fix the signature of their app."
end
add_error(message, strict_only: true)
when Artifact::Pkg
path = tmpdir/artifact.path.relative_path_from(cask.staged_path)
next unless path.exist?
result = system_command("pkgutil", args: ["--check-signature", path], print_stderr: false)
unless result.success?
add_error(<<~EOS, strict_only: true)
Signature verification failed:
#{result.merged_output}
macOS on ARM requires applications to be signed.
Please contact the upstream developer to let them know they should sign their package.
EOS
next
end
result = system_command("stapler", args: ["validate", path], print_stderr: false)
next if result.success?
add_error(<<~EOS, strict_only: true) add_error(<<~EOS, strict_only: true)
Signature verification failed: Signature verification failed:
#{result.merged_output} #{result.merged_output}
macOS on ARM requires applications to be signed. macOS on ARM requires software to be signed.
Please contact the upstream developer to let them know they should notarize their package. Please contact the upstream developer to let them know they should sign and notarize their software.
EOS EOS
end end
end end
end end
end
sig { returns(T.any(NilClass, T::Boolean, Symbol)) } sig { returns(T.any(NilClass, T::Boolean, Symbol)) }
def audit_livecheck_version def audit_livecheck_version