Fix audit_signing to check quarantine availability and attributes

Co-authored-by: bevanjkay <40621599+bevanjkay@users.noreply.github.com>
2025-08-14 03:31:30 +00:00 · 2025-08-14 03:31:30 +00:00 · d0ad96a9b3
commit d0ad96a9b3
parent 7dd47ca89a
2 changed files with 39 additions and 0 deletions
--- a/Library/Homebrew/cask/audit.rb
+++ b/Library/Homebrew/cask/audit.rb
@ -4,6 +4,7 @@
 require "cask/denylist"
 require "cask/download"
 require "cask/installer"
+require "cask/quarantine"
 require "digest"
 require "livecheck/livecheck"
 require "source_location"
@ -501,6 +502,12 @@ module Cask
      return if !cask.tap.official? && !signing?
      return if cask.deprecated? && cask.deprecation_reason != :unsigned

+      # Check if quarantine support is available
+      unless Quarantine.available?
+        odebug "Quarantine support is not available, skipping signing audit"
+        return
+      end
+
      odebug "Auditing signing"

      is_in_skiplist = cask.tap&.audit_exception(:signing_audit_skiplist, cask.token)
@ -515,6 +522,12 @@ module Cask

          path = tmpdir/artifact_path.relative_path_from(cask.staged_path)

+          # Check if the artifact has quarantine attributes
+          unless Quarantine.detect(path)
+            odebug "#{path} does not have quarantine attributes, skipping signing audit"
+            next false
+          end
+
          result = case artifact
          when Artifact::Pkg
            system_command("spctl", args: ["--assess", "--type", "install", path], print_stderr: false)
--- a/Library/Homebrew/test/cask/audit_spec.rb
+++ b/Library/Homebrew/test/cask/audit_spec.rb
@ -453,6 +453,7 @@ RSpec.describe Cask::Audit, :cask do

    describe "signing checks" do
      let(:only) { ["signing"] }
+      let(:tap) { CoreCaskTap.instance }
      let(:download_double) { instance_double(Cask::Download) }
      let(:unpack_double) { instance_double(UnpackStrategy::Zip) }

@ -495,6 +496,31 @@ RSpec.describe Cask::Audit, :cask do
          expect(run).not_to error_with(/Audit\.app/)
        end
      end
+
+      context "when quarantine support is not available" do
+        let(:cask) do
+          tmp_cask "signing-cask-test", <<~RUBY
+            cask 'signing-cask-test' do
+              version '1.0'
+              url "https://brew.sh/"
+              app 'Audit.app'
+            end
+          RUBY
+        end
+
+        before do
+          allow(cask).to receive(:tap).and_return(tap)
+
+          allow(Cask::Quarantine).to receive(:available?).and_return(false)
+        end
+
+        it "skips signing audit with warning" do
+          allow(cask).to receive(:tap).and_return(tap)
+
+          expect(audit).to receive(:odebug).with("Quarantine support is not available, skipping signing audit")
+          expect(run).not_to error_with(/Signature verification failed/)
+        end
+      end
    end

    describe "livecheck should be skipped", :no_api do