Homebrew no longer allows bypassing Gatekeeper for unsigned/unnotarized software

Posted by firexcy 11/12/2025

Homebrew no longer allows bypassing Gatekeeper for unsigned/unnotarized software(github.com)

345 points | 287 commentspage 3

0xbadcafebee 11/12/2025|

Homebrew is famous for making life hard for users. It makes "design decisions" that often conflict with users' needs, all in order to live up to the personal preferences of the project leads.

Personally I use asdf to manage my software on Macs. It too has also changed its design recently to become user-hostile (the command-line tool no longer prints the options for the commands, and it's full of bugs since a recent major version change).

For anyone looking to make an alternative to Homebrew: check out asdf's plugin system! It is insanely easy for anyone to make an asdf plugin, install it, use it. It's just a directory of plaintext files/scripts somewhere on the web. I made a couple plugins for unpackaged apps within like 30 minutes of learning how plugins worked. Very "unix philosophy" (in a good way)

(aside: I'm not a "Mac person" (forced to use one by work), so I know this is an unpopular opinion, but Macs feel worse to use than either Windows or Linux. At least Windows has WSL2 if you like command-lines (or PowerShell if you're into that). OTOH Macs ship with insanely outdated incompatible tools, and the 3rd-party options are annoying as hell. Why do technical people keep using Macs?)

queenkjuul 11/13/2025||

Apple loves to change which tools they ship, too, it at least have for the last few years as system updates were routinely breaking our build scripts at work, mostly when Apple would replace a GNU tool with a BSD tool without warning i think.

I agree though, Finder is a joke, the macOS system preferences has gotten incredibly cluttered and hard to use, the ever stricter code signing and download-opening restrictions are frustrating, and i can't even just install and run the docker CLI--docker on Mac requires Desktop and commercial use of Desktop requires a license.

All 3 systems have things about them that annoy me, but I'm with you that Mac is my least favorite. And it kinda sucks because the global text shortcuts (command-arrow, command-delete etc) are really handy and hard to replicate on other systems, and at least traditionally it's been a very pretty and well integrated desktop, the system itself just drives me up a wall.

alwillis 11/13/2025|||

> Apple loves to change which tools they ship, too, it at least have for the last few years as system updates were routinely breaking our build scripts at work, mostly when Apple would replace a GNU tool with a BSD tool without warning i think.

It's a licensing issue; Apple has never shipped GPLv3 software. This has been discussed dozens of times on HN.

Of course you can use Homebrew to install a GNU toolchain to your heart's content.

alwillis 11/13/2025|||

Just FYI: macOS has been a BSD-derived operating system from the beginning, using stuff from FreeBSD, OpenBSD and NetBSD on a Mach kernel. It’s a certified UNIX™ operating system.

And because GPLv3 is incompatible with how Apple operates, they ship versions of pre-GPLv3 software like Bash 3.2.

Apple now ships openrsync [1] as a replacement for rsync due to licensing issues.

[1]: https://appleinsider.com/inside/macos-sequoia/tips/what-you-...

0xbadcafebee 11/13/2025||||

Well there's now an MIT-licensed Rust rewrite of GNU coretools. Maybe in a few years they'll ship that, and we won't have to faff about with crappy 3rd party solutions. (I mean, seriously, when Windows ships with better dev tools than you? That's embarrassing.)

queenkjuul 11/16/2025||||

I'd have sworn they used to ship nano instead of pico; but i could be misremembering, regardless, the behavior of the tools changed and the only solution was install the gnu version from brew (and later, move the whole build to docker when Apple broke something else that used to work fine on both Mac and Linux)

Aaron2222 11/13/2025|||

> i can't even just install and run the docker CLI--docker on Mac requires Desktop and commercial use of Desktop requires a license.

That's not on Apple. Docker needs the Linux kernel (for Linux containers), so it's no different to needing something like Docker Desktop to use Docker on Windows. Yeah, Docker changed the license on Docker Desktop, but there's plenty of alternatives (Podman Desktop, Rancher Desktop, Colima, Apple's own container tool, or just running a Linux VM in Lima).

yaris 11/13/2025|||

(I may be wrong here but) under the hood Docker on macOS runs a small Linux VM where all containers live, exactly because containers are basically Linux namespaces on steroids so not portable 1:1 to anywhere.

queenkjuul 11/16/2025|||

I'm not blaming Apple for it, but it makes me dislike their platform more regardless

EasyMark 11/24/2025|||

Windows makes the irritations of mac seem as tiny in comparison. Especially with them starting to move more and more to push AI into monitoring and screen capturing and keylogging literally everything you do or will ever do in the operating system. A great big No Thanks to that.

Onavo 11/12/2025||

Try mise

https://mise.jdx.dev/dev-tools/comparison-to-asdf.html

bargainbin 11/12/2025||

Windows and Mac competing to see who can push all their users, and upping the ante every week this year it seems.

skrrtww 11/13/2025||

It's somewhat bizarre to me for this to impact "casks" but not "bottles". Bottles are all ad-hoc signed and presumably have the quarantine attribute removed manually since I do not see Gatekeeper warnings for bottles I install via Homebrew.

wpm 11/13/2025|

Downloaded files that are not executable or contains any executables in their archives don’t receive the quarantine bit. Non-quarantined executables don’t even require the ad-hoc signing as far as I know. It’s there to prevent lateral movement of executables: not to allow it to run on your computer, but to prevent it from running on someone else’s.

Onavo 11/12/2025||

Anyone interested in forking homebrew? Seems like they need more competition when it comes to user friendly package managers (macports doesn't count).

It's a pity the original author got lost in the crypto rabbit hole

https://tea.xyz/

There's also Sps2 which is written in Rust but it's very early stage

https://github.com/alexykn/sps2

Breaking the momentum and institutional adoption of homebrew is non-trivial but the developer community needs to band together unless we want to be slaves to Apple's whims forever. The current homebrew maintain Mike McQuaid clearly had no interest in listening to users.

wl 11/13/2025||

Mike McQuaid has been doing this a long time and there are more egregious examples in the past. I got off the Homebrew train when Little Snitch caught Homebrew phoning home without my consent and the response from him was, the developers have already decided to implement telemetry in an opt-out fashion and any pushback to that already made decision is "abusive" to the maintainers.

The Homebrew maintainers are not trustworthy. Don't use their software. If a fork was going to be feasible, it already would have happened.

Onavo 11/13/2025||

I think mise has a real chance of being a homebrew replacement, if the author chooses do take up the mantle.

eviks 11/13/2025||

Unfortunately, requires root, no Intel mac, no reuse of the large brew manifest library... The first 3 opened issues capture the core deficiencies perfectly

DavideNL 11/13/2025||

Fyi, this might be a useful workaround, if you are aware of the “risks” :

“lightweight service for macOS that automatically clears quarantine flags on everything in the given folders”

https://github.com/Absolucy/autoremove-quarantine

WhyOhWhyQ 11/13/2025||

Gatekeeper is just a travesty. I'm moving to Linux with the next laptop purchase.

verdverm 11/13/2025||

Does this mean if I publish my own cask for pre built binaries, people will no longer be able to use it unless I do something with Homebrew's Gatekeeper?

If yes, this sounds a lot like the android side loading the Google just reversed

davidkellis 11/12/2025||

Does this affect the linux version of homebrew? I'm hoping this has no effect.

angulardragon03 11/12/2025|

No, because there is no codesigning/notarization on Linux.

Rockjodd 11/12/2025||

> https://github.com/jdx/mise

Just dropping this here for those who don't know about it. It solves most of my CLI dependencies.

shevy-java 11/12/2025|

"Locking this thread. Not interested in arguing the merits of this. It's already been communicated to third parties."

Well!

Note: I think one problem of homebrew is called ... Apple. That is, they depend on whatever Apple decides.

Granted, this is similar to Microsoft; and to some extent to Linux, though people can make more modifications on Linux normally.

I am a Linux users so this does not affect me, and I also wrote my own "package" manager (basically just some ruby scripts to compile things from source), but at the same time I also think that at the end of the day, the user should decide what he or she wants. This is also why my scripts support systemd - I don't use/need systemd myself, but my tools should be agnostic, so I don't project my own opinion onto them.

There is of course a limitation, which is available time - often I just lack time to support xyz. But I keep that spirit alive - software should serve the human, not the other way around. (I have no substantial opinion on the feature itself here, that is to me it seems ok to remove it; the larger question is who dictates something onto users and what workarounds exist. Do workarounds exist? From reading the issue tracker, it seems the homebrew maintainers say that there are no workarounds, and thus it should be removed. If that is true then they have a point, but people also downvoted that, so perhaps there are workarounds - in which case these should be supported. I really don't know myself - to me apple is more like a glorified Windows, so basically the same. All software should be liberated eventually.)

More comments...