diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index 3b128a07a3..db58ee005a 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -491,29 +491,43 @@ module Cask Dir.mktmpdir do |tmpdir| tmpdir = Pathname(tmpdir) primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false) + + message = "Signature verification failed:\n#{result.merged_output}\nmacOS on ARM requires applications " \ + "to be signed. Please contact the upstream developer to let them know they should " + artifacts.each do |artifact| - path = case artifact + case artifact when Artifact::Moved - tmpdir/artifact.source.basename + path = tmpdir/artifact.source.basename + next unless path.exist? + + result = system_command("codesign", args: ["--verify", path], print_stderr: false) + + next if result.success? + + message += if result.stderr.include?("not signed at all") + "sign their app." + else + "fix the signature of their app." + end + + add_warning message when Artifact::Pkg - artifact.path + path = artifact.path + next unless path.exist? + + result = system_command("pkgutil", args: ["--check-signature", path], print_stderr: false) + if result.failure? + add_warning "#{message} sign their package." + next + end + + result = system_command("stapler", args: ["validate", path], print_stderr: false) + if result.failure? + add_warning "#{message} notarize their package." + next + end end - next unless path.exist? - - result = system_command("codesign", args: ["--verify", path], print_stderr: false) - - next if result.success? - - message = "Signature verification failed:\n#{result.merged_output}\nmacOS on ARM requires applications " \ - "to be signed. Please contact the upstream developer to let them know they should " - - message += if result.stderr.include?("not signed at all") - "sign their app." - else - "fix the signature of their app." - end - - add_warning message end end end