Shame on you, Homebrew, for effectively killing FOSS apps from casks.
Code signing should be done though.
You can disagree with Apple’s approach that maintains them as the only signing authority, but, at a fundamental level, code signing is the only way to distribute an executable and have the user be able to trust who authored it (and thus what’s in it).
https://github.com/Homebrew/brew/issues/20755#issuecomment-3330984446
In the end, the whole point of Gatekeeper is to protect end users as much as reasonable, and continuing to make it easy to bypass isn’t a good thing in my view.
Whole point of Gatekeeper is Apple policing users’ devices. The security benefit is just a side effect. If anything, users need to be protected from Apple more than small time hackers.
This is a shame. Big tech brain is affecting developers everywhere.
Controversial opinion: best way to learn fire will burn you is to try and see. I personally learned a lot about computers by infecting my machine with a shitton of malware when I was a kid. Modern parents are very adamant on letting kids run free and learn stuff by themselves, why not apply the same logic to computers?
I don’t think this is homebrews fault? It looks like apps need to be signed to run on apple silicone.
Yes and no. Yes, it has to be signed, but no, it doesn’t have to be Apple’s signing, it can be ad-hoc signed for the device programmatically. What they’re doing is that removing that ability to remove quarantine bits and ad-hoc signing
on installationand forcing everything to be Apple-signed.EDIT: Ad-hoc signing is compile-time. Quarantine bit just has to be removed at install-time.
deleted by creator
100% their fault since there’s a way to ad-hoc sign and run, and they’re removing it and sucking Apple’s dick.
EDIT: and there’s even an example found in one of this post’s comment of a 3rd party cask doing that in preparation of complete flag removal from Homebrew!
But I thought Mac was just Linux for people who loved to spend money… Seems on brand to me.
*Unix
**BSD
Both
That’s why I buy Macs! /hj (Though I do install and use Arch BTW on my M2 MacBook Air)
Only arch users say that.
Et tu brewtus?
Heh, there goes Librewolf’s only sane updating mechanism. IIRC, the devs of that are vehemently against paying Apple the money to sign the code, and they also fail to provide their own updater. It was one of the main drivers behind my switch to Waterfox.
Their explanation as to why:
--no-quarantineis used to forcibly bypass Gatekeeper, which is a built-in macOS security mechanism. This is used to run unsigned/unnotarized applications.macOS Tahoe is the final release to support Intel systems, and last year Apple updated macOS runtime protection to make it harder to override Gatekeeper. Macs with Apple silicon also don’t “permit native arm64 code to execute unless a valid signature is attached”. Finally, we are ending support for all casks that fail Gatekeeper checks on September 1st, 2026.
With the above in mind, it’s time to deprecate the
--no-quarantineflag frombrew. It intentionally bypasses macOS security mechanisms, which we already actively discourage. Deprecating now will give a decent lead time for users using it to come up with another solution or adjust their workflows.Deprecating now will give a decent lead time for users using it to come up with another solution or adjust their workflows.
The adjusted solution/workflow: use something other than homebrew
How will these other solutions bypass Apples quarantine?
By doing what homebrew currently does when you pass the
--no-quarantineflag, which is callxattr.Note that I’d probably support removing
--no-quarantineif Apple’s notarization service was free.Notarisation, free (as in beer) limits your ability to run your code that (Corporate) doesn’t like, making it inherently non free (as in freedom).
Yes, but you can still compile the code yourself. It’s only problematic for binary distribution. This is basically a question of balancing security vs. freedom I suppose.
Talking about balance when google is using the same tricks to crush f-droid is not reading the room.
Difference is compiling an app from source for Android is not really feasible on Android devices, whereas doing so on macOS is literally built into the package managers for macOS and is generally pretty trivial beyond it taking more time.
Also, macOS doesn’t prevent you from running the apps entirely.
I mean, theres macports and what else? Is macports even kickin still? No other package managers other than homebrew
Pretty sure it’s still around. Nix is an option as well.
removing macOS Gatekeeper bypass behaviours
dafuq? That’s basically the entire point
So yeah, there will be a fork soon that’s just compatible with the casks. Luckily that is very easily to do / manage
The unsigned (FOSS) Apps aren’t removed yet. They will be removed by 2026-09-01. Removing --no-quarantine before that seems counter productive. And quite frankly removing unsigned Apps at all seems like a stupid idea. Homebrew is a third party package mamager, why are they precapitulating to Apple?
Third party taps (or are they fourth party?) will step in. You can runxattr -d com.apple.quarantinein the .rb file.Relevant links.
- Homebrew Github Discussion about unsigned app removal.
- How Freetube bypasses the issue in their own tap.
I never understood what a “cask” in the brew lanuage means. I just do installs and if the brew install instructions involves a cask I just do it. How do I figure out which packages this will have an effect on on my system?
brew list --caskI think they’ve started flagging unnotarized apps as (deprecated), so maybe do a
brew infoon each.Casks are as a rule GUI applications. So if you want to install Firefox with homebrew would need to install it via a cask.
May be a sign to install Linux 😏 brew sucks anyways
If Brew sucks, why is it the preferred package manager for CLI tools in Bazzite?
I don’t use Bazzite. But if you have any pro arguments for Brew, feel free to share them. Change my mind.
I don’t really have an opinion, just an observation that switching back to Linux for me did not take me away from Homebrew
True but I desperately need
no compatibility,closed source,AppleCare,expensive hardware,limited lifespan,lock in… What did you call it Linux?I’m stuck with it at work. Plus Linux usually sucks on Mac for a long time while drivers get written
Put your money where your mouth is and donate to Asahi Linux.
I’ll check It out. I gave up and flashed Mac back on it and gave I to my sister. At least she’s off windows now.
Only pc I have that I can do any thing with is a Thinkpad with linux
I feel you. Once I was forced to code on a mac too. It made me insane ☠️
Even with wsl windows was a much bigger pain imo.
Right now the biggest issue is my company end point security
Pre-11 windows was at least less buggier than Mac OS. But I agree: It’s a big pain too! Linux just works better for me.
MacPorts has always been better.
Mise baby.
What does this mean?
Apps have to be signed to be installed.
You can still install and run them but you need to manually him through the startup hoops once
if you use a Mac git gud.
What a shame. It’s probably my favorite tool on the platform.
Well, I’m pretty happy that I’ve moved most of my app downloads to a nix config I guess.
Seems like a bigger change than deserves to be buried in the changelog. I wonder what the intent here is.
Fuck homebrew
misecru for life now.
