Skip to content

cask/audit: iterate over artifacts in rosetta/signing audit #20405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 11, 2025
Merged

cask/audit: iterate over artifacts in rosetta/signing audit #20405

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
34f659c
cask/audit: iterate over artifacts in rosetta/signing audit
bevanjkay Aug 11, 2025
5c06d6f
cask/audit: apply suggestion from code review
bevanjkay Aug 11, 2025
12f6e87
cask/audit: apply suggestion from code review
bevanjkay Aug 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 31 additions & 22 deletions Library/Homebrew/cask/audit.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -505,8 +505,8 @@ def audit_signing
extract_artifacts do |artifacts, tmpdir|
is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }

artifacts.each do |artifact|
next if artifact.is_a?(Artifact::Binary) && is_container == true
any_signing_failure = artifacts.any? do |artifact|
next false if artifact.is_a?(Artifact::Binary) && is_container == true

artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source

Expand All @@ -521,29 +521,35 @@ def audit_signing
system_command("gktool", args: ["scan", path], print_stderr: false)
when Artifact::Binary
# Shell scripts cannot be signed, so we skip them
next if path.text_executable?
next false if path.text_executable?

system_command("codesign", args: ["--verify", "-R=notarized", "--check-notarization", path],
print_stderr: false)
else
add_error "Unknown artifact type: #{artifact.class}", location: url.location
end

if result.success? && cask.deprecated? && cask.deprecation_reason == :unsigned
add_error "Cask is deprecated as unsigned but artifacts are signed!"
end

next if cask.deprecated? && cask.deprecation_reason == :unsigned

next if result.success?
next false if result.success?
next true if cask.deprecated? && cask.deprecation_reason == :unsigned

add_error <<~EOS, location: url.location
Signature verification failed:
#{result.merged_output}
macOS on ARM requires software to be signed.
Please contact the upstream developer to let them know they should sign and notarize their software.
EOS

true
end

return if any_signing_failure
return unless cask.deprecated?
return if cask.deprecation_reason != :unsigned

add_error <<~EOS
Cask is deprecated as unsigned but all artifacts are signed!
Remove the deprecate/disable stanza or update the deprecate/disable reason.
EOS
end
end

Expand Down Expand Up @@ -640,9 +646,12 @@ def audit_rosetta
extract_artifacts do |artifacts, tmpdir|
is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }

artifacts.each do |artifact|
next if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary)
next if artifact.is_a?(Artifact::Binary) && is_container
mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }

any_requires_rosetta = artifacts.any? do |artifact|
next false if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary)
next false if artifact.is_a?(Artifact::Binary) && is_container

path = tmpdir/artifact.source.relative_path_from(cask.staged_path)

Expand All @@ -665,7 +674,7 @@ def audit_rosetta
end

# binary stanza can contain shell scripts, so we just continue if lipo fails.
next unless result.success?
next false unless result.success?

odebug "Architectures: #{result.merged_output}"

Expand All @@ -675,17 +684,17 @@ def audit_rosetta
next
end

supports_arm = result.merged_output.include?("arm64")
mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
result.merged_output.exclude?("arm64") && result.merged_output.include?("x86_64")
end

if supports_arm && mentions_rosetta
add_error "Artifacts do not require Rosetta 2 but the caveats say otherwise!",
location: url.location
elsif !supports_arm && !mentions_rosetta && !requires_intel
add_error "Artifacts require Rosetta 2 but this is not indicated by the caveats!",
if any_requires_rosetta
if !mentions_rosetta && !requires_intel
add_error "At least one artifact requires Rosetta 2 but this is not indicated by the caveats!",
location: url.location
end
elsif mentions_rosetta
add_error "No artifacts require Rosetta 2 but the caveats say otherwise!",
location: url.location
end
end
end
Expand Down
Loading