- If I understand the issue correctly, it appears that this change primarily impacts casks on macOS. In fact it looks like it may only impact casks. Casks are used to install binary packaged software, often in the form of a dmg or pkg file on macOS. Most people I know are not installing too many casks, and most of the ones I've seen install signed binaries anyway. The important thing for me with this is that it doesnt appear to impact homebrew's ability to download, compile, and install open source software. And that is the main thing I use homebrew for. I believe that is true for most people too, but I fully expect to learn very quickly if there are a bunch of taps in use by people that distribute unsigned binary installers of software for macOS. :-)
by seanparsons
7 subcomments
- My longstanding prediction that Gatekeeper will ever so slowly tighten so that people don't realise like a frog boiled in water is continuing to be true.
by tacker2000
7 subcomments
- Homebrew is not really pro in any way: they force updates, deprecate old software that is still widely in use, the maintainers are always very combative and dont allow any discussions or other opinions.
In the end it's a package manager for consumers that hand holds you and is not really useful in a pro context.
I've been meaning to jump to macports anyway, maybe ill do it now...
- Hehe, the classic rude and mean behavior from homebrew maintainers.
I get their motivation to remove the flag. In fact, it has always been better to run xattr in postinstall, this way the binary is free from quarantine even after updates.
But the way they communicate with people is unacceptable and just unnecessary.
- I don't understand what this means, although I've read the whole thread. Does this mean people won't be able to use Homebrew to compile software from source (and run it)? Does it mean that they'll be able to use Homebrew to compile software from source, but not download prebuilt binaries (and run them)? Does it mean that they'll be able to download prebuilt binaries, but only run them if they're built by a developer that Apple has blessed?
I do understand that the effect is only to make Intel Macs adopt the same behavior ARM64 Macs already had, but I don't understand what that behavior is.
I see that someone named andrewmcwatters has posted a [dead] reply to my comment that doesn't answer my questions, just repeating the same jargon from the bug report that I don't know the meaning of.
- Can someone explain why disallowing Gatekeeper bypass via Homebrew is related to macOS disallowing unsigned ARM64 binaries to run? My understanding is that `—no-quarantine` just removes the `com.apple.quarantine` attribute from a downloaded application. If the application is unsigned then removing the attribute wouldn’t allow it to run anyways. There’s no way to disable the signature check because it’s a kernel level check. However, macOS will accept an adhoc signature. Because of this, to me it seems like Gatekeeper bypass and unsigned software are orthogonal topics. No matter if I remove the Gatekeeper signature or not, unsigned code still won’t run unless I add an adhoc signature. On the other hand, if I distribute software with an adhoc signature, macOS wouldn’t prevent someone else from running it as long as they remove the quarantine attribute. Am I missing something?
- The loss of the --no-gatekeeper option isn't that big of a deal. It just removed the com.apple.quarantine xattr from the installed cask (which you can easily do yourself, or just allow the app from System Settings after Gatekeeper blocks it).
The more impactful change is the move to require all casks[0] (not just new ones) to pass Gatekeeper checks (so signed and notarized through the Apple Developer Program)[1][2]. There are a multitude of open-source applications which aren't signed and notarized through the Apple Developer Program (some due to the $99 per year cost, some due to needing to provide a legal identity and having that in the certificate, some who object to needing to do it at all). What this means is that you'll have to install these manually or use a 3rd-party tap (package repository) to install them.
Of course, Apple could solve this by providing a way for open-source projects to sign and notarize their apps without having to pay $99 per year and associate a legal identity. They've already got Xcode Cloud, they could allow use of that to build, sign, and notarize only from the publicly available source.
[0]: These are GUI applications (i.e. .app), where Homebrew downloads the official build of the app. CLI tools are done differently (the Homebrew project builds these from source), and nothing's changing there.
[1]: https://github.com/orgs/Homebrew/discussions/6334
[2]: https://github.com/orgs/Homebrew/discussions/6482
- It seems the maintainers are very eager to lock issues and threads on GitHub that receive any pushback to this decision. Where is this coming from? I thought Homebrew was pro-user software, which requiring Apple's approval to run software on my computer is ostensibly not.
by foxandmouse
2 subcomments
- Yeah, I’ve been noticing an alarming number of casks marked to be depreciated… at the same time gatekeeper has gotten so restrictive it won’t let me (easily) open a video files that I downloaded from the internet
by nixpulvis
4 subcomments
- Alacritty is seemingly affected by this, which sucks for people who install it from homebrew because there's no way the developers are going to shell out to Apple for the signature.
https://github.com/alacritty/alacritty/issues/8749
Does anyone know if self-signed binaries will work?
by jimrandomh
0 subcomment
- I think of homebrew as a curation service; it lets me name a piece of software and install it without having to any special diligence on it. In that use case, I _want_ them to enforce code-signing requirements; that reduces the risk that some software-supply-chain compromise will spread to my computer.
I do want the ability to install unsigned software, either because I wrote/compiled it myself locally and can't be arsed with signing, or because I'm getting it from a non-public source that doesn't want to share a copy with Apple, or because it's from a developer I trust who can't be arsed. But I never want to get unsigned software _from a curation service_.
by whywhywhywhy
1 subcomments
- Protecting the user from things they don’t realize are apps or new apps on general is important.
But the amount of overreach in gatekeeper to try and make the failed Mac App Store profitable and milk $90 a year at the expense of apps users want to run is egregious.
by buildfocus
2 subcomments
- The contrast between the steadily shrinking freedoms in Apple-land and the open computing approach underlying all today's the Valve announcements is fascinating.
- It may be Apple policy to prevent users from doing what they want because "security" is the most important thing for a their bank/shopping terminals. But I thought the whole point of using homebrew was to empower the user to use Apple devices like a normal computer without the hassle of having to do it manually? The developer has made it clear this is not the use case and that it helped with it was unintentional and undesired. The actual use case for homebrew remains unclear given this new information.
by JohnTHaller
1 subcomments
- For a quick background, Apple doesn't allow the typical quarantine bypass of Gatekeeper for ARM64 binaries. It must be digitally signed to run. And Intel based Macs are a dead end with macOS Tahoe being the last OS released for them. So, brew is disabling the --no-quarantine switch in their next major release or so.
From the post: "What alternatives to the feature have been considered?
None. Macs with Apple silicon are the platform that will be supported in the future, and Apple is making it harder to bypass Gatekeeper as is."
by theoldgreybeard
1 subcomments
- This has turned into a such a pain point for me I'm probably just going to ditch MacOS on my next hardware refresh and insist on a Linux-based workstation. I already use Linux for everything else, changing for $DAY_JOB is trivial.
- Funny/sad to see this post just under the
"Install your own apps, or even another operating system. Who are we to tell you how to use your computer?"
Turns out you can be both consumer friendly AND have a wildly successful app store. Who knew?!
- Hmm. I use arm64 macports instead of homebrew, and as far as I know, I download prebuilt binaries from macports without issue even on Tahoe -- are they signing them with an approved account? Or did they force me to build everything from scratch, like the old days, and I haven't noticed?
- Also, fuck Apple's entire notarization process.
https://github.com/alacritty/alacritty/issues/8749#issuecomm...
If you want a more level headed overview of code signing differences, you can read this post I wrote back when this issue started coming to a head the first time back in 2021: https://nixpulvis.com/ramblings/2021-02-02-signing-and-notar...
Now, unsurprisingly, more and more distributers are falling in line, and it's all mostly theater.
Where is our modern Stallman, how have we let these massive platform OS providers assert this much control over the developer ecosystem.
They collect $99/yr for the right to give away free software! Madness. And they lie about the safety of the system. How about focus on keeping the OS secure and maintaining process isolation, and let users run what they want.
- Homebrew also started preventing you from installing any packages system-wide with pip
by 0xbadcafebee
3 subcomments
- Homebrew is famous for making life hard for users. It makes "design decisions" that often conflict with users' needs, all in order to live up to the personal preferences of the project leads.
Personally I use asdf to manage my software on Macs. It too has also changed its design recently to become user-hostile (the command-line tool no longer prints the options for the commands, and it's full of bugs since a recent major version change).
For anyone looking to make an alternative to Homebrew: check out asdf's plugin system! It is insanely easy for anyone to make an asdf plugin, install it, use it. It's just a directory of plaintext files/scripts somewhere on the web. I made a couple plugins for unpackaged apps within like 30 minutes of learning how plugins worked. Very "unix philosophy" (in a good way)
(aside: I'm not a "Mac person" (forced to use one by work), so I know this is an unpopular opinion, but Macs feel worse to use than either Windows or Linux. At least Windows has WSL2 if you like command-lines (or PowerShell if you're into that). OTOH Macs ship with insanely outdated incompatible tools, and the 3rd-party options are annoying as hell. Why do technical people keep using Macs?)
by bargainbin
0 subcomment
- Windows and Mac competing to see who can push all their users, and upping the ante every week this year it seems.
- It's somewhat bizarre to me for this to impact "casks" but not "bottles". Bottles are all ad-hoc signed and presumably have the quarantine attribute removed manually since I do not see Gatekeeper warnings for bottles I install via Homebrew.
- Anyone interested in forking homebrew? Seems like they need more competition when it comes to user friendly package managers (macports doesn't count).
It's a pity the original author got lost in the crypto rabbit hole
https://tea.xyz/
There's also Sps2 which is written in Rust but it's very early stage
https://github.com/alexykn/sps2
Breaking the momentum and institutional adoption of homebrew is non-trivial but the developer community needs to band together unless we want to be slaves to Apple's whims forever. The current homebrew maintain Mike McQuaid clearly had no interest in listening to users.
- Fyi, this might be a useful workaround, if you are aware of the “risks” :
“lightweight service for macOS that automatically clears quarantine flags on everything in the given folders”
https://github.com/Absolucy/autoremove-quarantine
- Gatekeeper is just a travesty. I'm moving to Linux with the next laptop purchase.
- Does this mean if I publish my own cask for pre built binaries, people will no longer be able to use it unless I do something with Homebrew's Gatekeeper?
If yes, this sounds a lot like the android side loading the Google just reversed
by davidkellis
1 subcomments
- Does this affect the linux version of homebrew? I'm hoping this has no effect.
- > https://github.com/jdx/mise
Just dropping this here for those who don't know about it.
It solves most of my CLI dependencies.
by shevy-java
0 subcomment
- "Locking this thread. Not interested in arguing the merits of this. It's already been communicated to third parties."
Well!
Note: I think one problem of homebrew is called ... Apple. That is, they depend on whatever Apple decides.
Granted, this is similar to Microsoft; and to some extent to Linux, though people can make more modifications on Linux normally.
I am a Linux users so this does not affect me, and I also wrote my own "package" manager (basically just some ruby scripts to compile things from source), but at the same time I also think that at the end of the day, the user should decide what he or she wants. This is also why my scripts support systemd - I don't use/need systemd myself, but my tools should be agnostic, so I don't project my own opinion onto them.
There is of course a limitation, which is available time - often I just lack time to support xyz. But I keep that spirit alive - software should serve the human, not the other way around. (I have no substantial opinion on the feature itself here, that is to me it seems ok to remove it; the larger question is who dictates something onto users and what workarounds exist. Do workarounds exist? From reading the issue tracker, it seems the homebrew maintainers say that there are no workarounds, and thus it should be removed. If that is true then they have a point, but people also downvoted that, so perhaps there are workarounds - in which case these should be supported. I really don't know myself - to me apple is more like a glorified Windows, so basically the same. All software should be liberated eventually.)
- There will be delicious irony when MacOS is locked down to the point that running homebrew is no longer possible.
by supportengineer
1 subcomments
- It seems this mostly affects Intel systems.
by westondeboer
1 subcomments
- TL;DR
Homebrew is removing --no-quarantine because:
Apple is killing Intel support.
Apple Silicon won’t run unsigned apps anyway.
Homebrew will soon require all apps to pass Gatekeeper.
They don’t want to help users bypass macOS security.
This is basically a security + future-compatibility cleanup.
by sunaookami
0 subcomment
- I use Nix for my CLI needs but homebrew for GUI programs, anyone know of any good alternative? A lot of casks will be removed, like mktvoolnix-app (the GUI program, not the CLI tool). Also this Mike guy is insufferable.
by andrewmcwatters
0 subcomment
- [dead]
- [dead]
by miketheman
0 subcomment
- [flagged]
- I can run whatever I want on my Windows and Linux machines. I wouldn't put up with this, but I guess some people really feel they need their silly fruit computers.
Hacker News