From 34f659cb640be6ed8c350cf3316ccf086d5dadd1 Mon Sep 17 00:00:00 2001 From: Bevan Kay Date: Mon, 11 Aug 2025 12:37:44 +1000 Subject: [PATCH 1/3] cask/audit: iterate over artifacts in rosetta/signing audit --- Library/Homebrew/cask/audit.rb | 51 +++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index bd9be728b4..afb24e7c95 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -505,8 +505,8 @@ module Cask extract_artifacts do |artifacts, tmpdir| is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) } - artifacts.each do |artifact| - next if artifact.is_a?(Artifact::Binary) && is_container == true + any_signing_failure = artifacts.any? do |artifact| + next false if artifact.is_a?(Artifact::Binary) && is_container == true artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source @@ -521,7 +521,7 @@ module Cask system_command("gktool", args: ["scan", path], print_stderr: false) when Artifact::Binary # Shell scripts cannot be signed, so we skip them - next if path.text_executable? + next false if path.text_executable? system_command("codesign", args: ["--verify", "-R=notarized", "--check-notarization", path], print_stderr: false) @@ -529,13 +529,8 @@ module Cask add_error "Unknown artifact type: #{artifact.class}", location: url.location end - if result.success? && cask.deprecated? && cask.deprecation_reason == :unsigned - add_error "Cask is deprecated as unsigned but artifacts are signed!" - end - - next if cask.deprecated? && cask.deprecation_reason == :unsigned - - next if result.success? + next false if result.success? + next true if cask.deprecated? && cask.deprecation_reason == :unsigned add_error <<~EOS, location: url.location Signature verification failed: @@ -543,6 +538,15 @@ module Cask macOS on ARM requires software to be signed. Please contact the upstream developer to let them know they should sign and notarize their software. EOS + + true + end + + if cask.deprecated? && cask.deprecation_reason == :unsigned && !any_signing_failure + add_error <<~EOS + Cask is deprecated as unsigned but all artifacts are signed! + Remove the deprecate/disable stanza or update the deprecate/disable reason. + EOS end end end @@ -640,9 +644,12 @@ module Cask extract_artifacts do |artifacts, tmpdir| is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) } - artifacts.each do |artifact| - next if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary) - next if artifact.is_a?(Artifact::Binary) && is_container + mentions_rosetta = cask.caveats.include?("requires Rosetta 2") + requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel } + + any_requires_rosetta = artifacts.any? do |artifact| + next false if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary) + next false if artifact.is_a?(Artifact::Binary) && is_container path = tmpdir/artifact.source.relative_path_from(cask.staged_path) @@ -665,7 +672,7 @@ module Cask end # binary stanza can contain shell scripts, so we just continue if lipo fails. - next unless result.success? + next false unless result.success? odebug "Architectures: #{result.merged_output}" @@ -675,17 +682,17 @@ module Cask next end - supports_arm = result.merged_output.include?("arm64") - mentions_rosetta = cask.caveats.include?("requires Rosetta 2") - requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel } + next true if result.merged_output.exclude?("arm64") && result.merged_output.include?("x86_64") + end - if supports_arm && mentions_rosetta - add_error "Artifacts do not require Rosetta 2 but the caveats say otherwise!", - location: url.location - elsif !supports_arm && !mentions_rosetta && !requires_intel - add_error "Artifacts require Rosetta 2 but this is not indicated by the caveats!", + if any_requires_rosetta + if !mentions_rosetta && !requires_intel + add_error "At least one artifact requires Rosetta 2 but this is not indicated by the caveats!", location: url.location end + elsif mentions_rosetta + add_error "No artifacts require Rosetta 2 but the caveats say otherwise!", + location: url.location end end end From 5c06d6f184ecf855c37d1d4411e1e5a122cf8f44 Mon Sep 17 00:00:00 2001 From: Bevan Kay Date: Mon, 11 Aug 2025 15:26:36 +1000 Subject: [PATCH 2/3] cask/audit: apply suggestion from code review Co-authored-by: Carlo Cabrera --- Library/Homebrew/cask/audit.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index afb24e7c95..5ffa29c741 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -682,7 +682,7 @@ module Cask next end - next true if result.merged_output.exclude?("arm64") && result.merged_output.include?("x86_64") + result.merged_output.exclude?("arm64") && result.merged_output.include?("x86_64") end if any_requires_rosetta From 12f6e871c73c91114bfa017c434f0b25c48156f0 Mon Sep 17 00:00:00 2001 From: Bevan Kay Date: Mon, 11 Aug 2025 15:26:44 +1000 Subject: [PATCH 3/3] cask/audit: apply suggestion from code review Co-authored-by: Carlo Cabrera --- Library/Homebrew/cask/audit.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb index 5ffa29c741..108a76b874 100644 --- a/Library/Homebrew/cask/audit.rb +++ b/Library/Homebrew/cask/audit.rb @@ -542,12 +542,14 @@ module Cask true end - if cask.deprecated? && cask.deprecation_reason == :unsigned && !any_signing_failure - add_error <<~EOS - Cask is deprecated as unsigned but all artifacts are signed! - Remove the deprecate/disable stanza or update the deprecate/disable reason. - EOS - end + return if any_signing_failure + return unless cask.deprecated? + return if cask.deprecation_reason != :unsigned + + add_error <<~EOS + Cask is deprecated as unsigned but all artifacts are signed! + Remove the deprecate/disable stanza or update the deprecate/disable reason. + EOS end end