diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index bd9be728b4..108a76b874 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -505,8 +505,8 @@ module Cask extract_artifacts do |artifacts, tmpdir| is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) } - artifacts.each do |artifact| - next if artifact.is_a?(Artifact::Binary) && is_container == true + any_signing_failure = artifacts.any? do |artifact| + next false if artifact.is_a?(Artifact::Binary) && is_container == true artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source @@ -521,7 +521,7 @@ module Cask system_command("gktool", args: ["scan", path], print_stderr: false) when Artifact::Binary # Shell scripts cannot be signed, so we skip them - next if path.text_executable? + next false if path.text_executable? system_command("codesign", args: ["--verify", "-R=notarized", "--check-notarization", path], print_stderr: false) @@ -529,13 +529,8 @@ module Cask add_error "Unknown artifact type: #{artifact.class}", location: url.location end - if result.success? && cask.deprecated? && cask.deprecation_reason == :unsigned - add_error "Cask is deprecated as unsigned but artifacts are signed!" - end - - next if cask.deprecated? && cask.deprecation_reason == :unsigned - - next if result.success? + next false if result.success? + next true if cask.deprecated? && cask.deprecation_reason == :unsigned add_error <<~EOS, location: url.location Signature verification failed: @@ -543,7 +538,18 @@ module Cask macOS on ARM requires software to be signed. Please contact the upstream developer to let them know they should sign and notarize their software. EOS + + true end + + return if any_signing_failure + return unless cask.deprecated? + return if cask.deprecation_reason != :unsigned + + add_error <<~EOS + Cask is deprecated as unsigned but all artifacts are signed! + Remove the deprecate/disable stanza or update the deprecate/disable reason. + EOS end end @@ -640,9 +646,12 @@ module Cask extract_artifacts do |artifacts, tmpdir| is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) } - artifacts.each do |artifact| - next if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary) - next if artifact.is_a?(Artifact::Binary) && is_container + mentions_rosetta = cask.caveats.include?("requires Rosetta 2") + requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel } + + any_requires_rosetta = artifacts.any? do |artifact| + next false if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary) + next false if artifact.is_a?(Artifact::Binary) && is_container path = tmpdir/artifact.source.relative_path_from(cask.staged_path) @@ -665,7 +674,7 @@ module Cask end # binary stanza can contain shell scripts, so we just continue if lipo fails. - next unless result.success? + next false unless result.success? odebug "Architectures: #{result.merged_output}" @@ -675,17 +684,17 @@ module Cask next end - supports_arm = result.merged_output.include?("arm64") - mentions_rosetta = cask.caveats.include?("requires Rosetta 2") - requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel } + result.merged_output.exclude?("arm64") && result.merged_output.include?("x86_64") + end - if supports_arm && mentions_rosetta - add_error "Artifacts do not require Rosetta 2 but the caveats say otherwise!", - location: url.location - elsif !supports_arm && !mentions_rosetta && !requires_intel - add_error "Artifacts require Rosetta 2 but this is not indicated by the caveats!", + if any_requires_rosetta + if !mentions_rosetta && !requires_intel + add_error "At least one artifact requires Rosetta 2 but this is not indicated by the caveats!", location: url.location end + elsif mentions_rosetta + add_error "No artifacts require Rosetta 2 but the caveats say otherwise!", + location: url.location end end end