Skip to content

cask/audit: always enable codesign audit #20286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 22, 2025
Merged

cask/audit: always enable codesign audit #20286

merged 1 commit into from
Jul 22, 2025

Conversation

bevanjkay
Copy link
Member

@bevanjkay bevanjkay commented Jul 21, 2025
edited
Loading

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

This PR enables the codesigning audit for all casks. Currently this audit is only applied to new casks.

The audit is skipped when a cask is deprecated for any reason - so to unblock CI we will need to add a deprecation with reason :unsigned to any casks receiving updates that aren't codesigned.

We need to be aware of some instances of false-positives with the audit, which include when binaries are placed in non-conventional locations within an app bundle. There may be improvements that could be made to the audit for these.

Paging @homebrew/cask as this is a fairly significant change.

@bevanjkay bevanjkay force-pushed the enable_signing_audit branch 2 times, most recently from 5e50bc9 to f96f8c0 Compare July 21, 2025 08:58
SMillerDev
SMillerDev reviewed Jul 21, 2025
View reviewed changes
@bevanjkay bevanjkay force-pushed the enable_signing_audit branch from f96f8c0 to 84d7000 Compare July 21, 2025 11:19
SMillerDev
SMillerDev approved these changes Jul 21, 2025
View reviewed changes
Copy link
Member

@SMillerDev SMillerDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can limit it to official taps later. Or I can review it again once you do that, your call.

@bevanjkay
Copy link
Member Author

bevanjkay commented Jul 21, 2025
edited
Loading

Is there value in allowing this to run in non-official taps, but just keep it behind the --signing flag? (current logic)
This is my mild preference, but happy to go either way.

@bevanjkay bevanjkay force-pushed the enable_signing_audit branch from 84d7000 to cccec16 Compare July 21, 2025 11:38
bevanjkay
bevanjkay commented Jul 21, 2025
View reviewed changes
MikeMcQuaid
MikeMcQuaid approved these changes Jul 21, 2025
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good once 🟢, thanks @bevanjkay!

@bevanjkay bevanjkay force-pushed the enable_signing_audit branch from cccec16 to c37d3e2 Compare July 21, 2025 12:40
@bevanjkay bevanjkay enabled auto-merge July 21, 2025 12:41
@bevanjkay bevanjkay force-pushed the enable_signing_audit branch from c37d3e2 to 1d6f486 Compare July 21, 2025 13:41
@bevanjkay bevanjkay disabled auto-merge July 21, 2025 13:54
@bevanjkay bevanjkay force-pushed the enable_signing_audit branch from 1d6f486 to 9dc5929 Compare July 21, 2025 14:05
p-linnane
p-linnane approved these changes Jul 21, 2025
View reviewed changes
Copy link
Member

@p-linnane p-linnane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should limit this to official taps.

@bevanjkay bevanjkay added this pull request to the merge queue Jul 22, 2025
Merged via the queue into main with commit 3bec117 Jul 22, 2025
36 checks passed
@bevanjkay bevanjkay deleted the enable_signing_audit branch July 22, 2025 07:42
@EricFromCanada EricFromCanada mentioned this pull request Aug 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SMillerDev SMillerDev SMillerDev approved these changes

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

@krehel krehel krehel approved these changes

@p-linnane p-linnane p-linnane approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bevanjkay @MikeMcQuaid @SMillerDev @krehel @p-linnane