Homebrew no longer allows bypassing Gatekeeper for unsigned/unnotarized software

Posted by firexcy 8 hours ago

Homebrew no longer allows bypassing Gatekeeper for unsigned/unnotarized software(github.com)

157 points | 134 commentspage 2

theoldgreybeard 7 hours ago|

This has turned into a such a pain point for me I'm probably just going to ditch MacOS on my next hardware refresh and insist on a Linux-based workstation. I already use Linux for everything else, changing for $DAY_JOB is trivial.

haunter 6 hours ago||

Funny/sad to see this post just under the

"Install your own apps, or even another operating system. Who are we to tell you how to use your computer?"

Turns out you can be both consumer friendly AND have a wildly successful app store. Who knew?!

buildfocus 7 hours ago||

The contrast between the steadily shrinking freedoms in Apple-land and the open computing approach underlying all today's the Valve announcements is fascinating.

hoherd 7 hours ago||

I switched from Linux to macOS with osx 10.2.8 because it was a much better unix desktop experience. Lately, more and more I've been feeling a lot like linux is a better desktop experience.

Yeah yeah, I'm sure there's a whole line of people who'd like to mock this entire decision, but I assure you that back then, a lot of us would rather use our desktop OS than fix our desktop OSes broken 802.11b, audio, graphics, etc.. And back then, osx shipped x11, and you could `ssh -Y` and `xnest` and all that fun stuff. Plus linux (and other unixes) never left my side for headless work.

Top this off with all the Android lockdown, and I feel like linux and FLOSS has maybe never been as important as it is now.

bluescrn 7 hours ago||

Yet Valve have still managed to maintain a dominant 'App Store' without having to rely on locked-down platforms.

skygazer 7 hours ago||

Hmm. I use arm64 macports instead of homebrew, and as far as I know, I download prebuilt binaries from macports without issue even on Tahoe -- are they signing them with an approved account? Or did they force me to build everything from scratch, like the old days, and I haven't noticed?

woodruffw 7 hours ago|

This doesn't affect most prebuilt binaries. It specifically affects what Homebrew calls "casks," which are redistributions of .app bundles (which come with additional restrictions via Gatekeeper, unlike a "simple" binary).

jimrandomh 7 hours ago||

I think of homebrew as a curation service; it lets me name a piece of software and install it without having to any special diligence on it. In that use case, I _want_ them to enforce code-signing requirements; that reduces the risk that some software-supply-chain compromise will spread to my computer.

I do want the ability to install unsigned software, either because I wrote/compiled it myself locally and can't be arsed with signing, or because I'm getting it from a non-public source that doesn't want to share a copy with Apple, or because it's from a developer I trust who can't be arsed. But I never want to get unsigned software _from a curation service_.

fudged71 6 hours ago||

Homebrew also started preventing you from installing any packages system-wide with pip

woodruffw 4 hours ago||

This is true, but also misleading: Homebrew did what every major "distro-level" package manager did, which was conform to PEP 668[1].

(This, as it turns out, was a great idea. A single global shared environment that pip used by default was one of the single greatest sources of user frustration in Python.)

[1]: https://peps.python.org/pep-0668/

kstrauser 4 hours ago||

No, pip itself did that, and fortunately. It’s a setting you can disable if you want to be able to accidentally trash your environment.

saagarjha 3 hours ago||

I want to purposefully trash my environment

kstrauser 1 hour ago||

Pip will let you! You just have to ask it nicely.

JohnTHaller 7 hours ago||

For a quick background, Apple doesn't allow the typical quarantine bypass of Gatekeeper for ARM64 binaries. It must be digitally signed to run. And Intel based Macs are a dead end with macOS Tahoe being the last OS released for them. So, brew is disabling the --no-quarantine switch in their next major release or so.

From the post: "What alternatives to the feature have been considered?

None. Macs with Apple silicon are the platform that will be supported in the future, and Apple is making it harder to bypass Gatekeeper as is."

Aaron2222 51 minutes ago|

While it is true that macOS requires binaries to have a digital signature, that can just be an ad-hoc signature. Other than that, not much has changed. Gatekeeper (and the ability to bypass it for specific apps/binaries) works much the same for unsigned Intel binaries as for ad-hoc signed Apple Silicon binaries.

nixpulvis 3 hours ago||

Also, fuck Apple's entire notarization process.

https://github.com/alacritty/alacritty/issues/8749#issuecomm...

If you want a more level headed overview of code signing differences, you can read this post I wrote back when this issue started coming to a head the first time back in 2021: https://nixpulvis.com/ramblings/2021-02-02-signing-and-notar...

Now, unsurprisingly, more and more distributers are falling in line, and it's all mostly theater.

Where is our modern Stallman, how have we let these massive platform OS providers assert this much control over the developer ecosystem.

They collect $99/yr for the right to give away free software! Madness. And they lie about the safety of the system. How about focus on keeping the OS secure and maintaining process isolation, and let users run what they want.

bargainbin 7 hours ago||

Windows and Mac competing to see who can push all their users, and upping the ante every week this year it seems.

Rockjodd 6 hours ago|

> https://github.com/jdx/mise

Just dropping this here for those who don't know about it. It solves most of my CLI dependencies.

More comments...