cask/audit: update signing checks for app, binary, and pkg #17031
Conversation
krehel
changed the title
krehel
force-pushed
the
update-artifact-audit
branch
from
118e066
to
7cd11b7
Compare
There was a problem hiding this comment.
Great work so far, thanks @krehel!
This is still not complete, as this will still fail some valid Casks (such as GitHub Desktop)
What's the failure? A (unnotarized) binary? If so: I think we should just make that check strict only.
Library/Homebrew/cask/audit.rb
Outdated
| when Artifact::App | ||
| system_command("spctl", args: ["--assess", "--type", "execute", path], print_stderr: false) | ||
| when Artifact::Binary | ||
| system_command("codesign", args: ["-vvvv", "-R=notarized", "--check-notarization", path], |
There was a problem hiding this comment.
I think checking for notarisation should be a separate (strict) check. My understanding is it's not required for ARM/Gatekeeper/Quarantine.
The message below can also probably remove "notarize" from it, too.
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
@krehel What's the latest here? |
|
@MikeMcQuaid sorry about that. Will pick this up and see if I can get it over the line. Need to solve some corner cases involving binaries. |
krehel
force-pushed
the
update-artifact-audit
branch
from
7cd11b7
to
30bf2c5
Compare
krehel
force-pushed
the
update-artifact-audit
branch
from
30bf2c5
to
344a502
Compare
| @@ -22,7 +22,7 @@ def extract_nestedly(to: nil, basename: nil, verbose: false, prioritize_extensio | |||
|
|
|||
| sig { override.params(unpack_dir: Pathname, basename: Pathname, verbose: T::Boolean).returns(T.untyped) } | |||
| def extract_to_dir(unpack_dir, basename:, verbose: false) | |||
| FileUtils.cp path, unpack_dir/basename, preserve: true, verbose: | |||
| FileUtils.cp path, unpack_dir/basename.sub(/^[\da-f]{64}--/, ""), preserve: true, verbose: | |||
There was a problem hiding this comment.
I noticed during the audit signing that this caused audit to fail as the paths didn't exist. This applied to direct binary downloads only. Making this adjustment now causes the paths to be found.
|
|
||
| next unless path.exist? |
There was a problem hiding this comment.
This was silently skipping over paths not found, which was causing us not to audit direct binary downloads properly.
| when Artifact::Pkg | ||
| system_command("spctl", args: ["--assess", "--type", "install", path], print_stderr: false) | ||
| when Artifact::App | ||
| system_command("spctl", args: ["--assess", "--type", "execute", path], print_stderr: false) | ||
| when Artifact::Binary | ||
| system_command("codesign", args: ["--verify", path], print_stderr: false) | ||
| else | ||
| add_error "Unknown artifact type: #{artifact.class}", location: cask.url.location | ||
| end |
There was a problem hiding this comment.
Tested against a range of applications and binaries, this reports the same as tools like Apparency and Whatsyoursign.
Happy to publish a results report run against applications locally for review.
There was a problem hiding this comment.
No, I believe you, great work!
| @@ -482,13 +482,25 @@ def audit_signing | |||
| odebug "Auditing signing" | |||
|
|
|||
| extract_artifacts do |artifacts, tmpdir| | |||
| is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) } | |||
There was a problem hiding this comment.
If there's a standalone binary (typically a shell script) included in or with an application bundle, we can skip auditing it.
Many times those scripts aren't signed, but if the application is we'll consider it trusted. If the app isn't trusted, it will fail the normal check.
| @@ -482,13 +482,25 @@ def audit_signing | |||
| odebug "Auditing signing" | |||
|
|
|||
| extract_artifacts do |artifacts, tmpdir| | |||
| is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) } | |||
| when Artifact::Pkg | ||
| system_command("spctl", args: ["--assess", "--type", "install", path], print_stderr: false) | ||
| when Artifact::App | ||
| system_command("spctl", args: ["--assess", "--type", "execute", path], print_stderr: false) | ||
| when Artifact::Binary | ||
| system_command("codesign", args: ["--verify", path], print_stderr: false) | ||
| else | ||
| add_error "Unknown artifact type: #{artifact.class}", location: cask.url.location | ||
| end |
There was a problem hiding this comment.
No, I believe you, great work!
|
Thanks @MikeMcQuaid - apologies it took a bit to pick back up, will do better going forward ❤️ |
|
@krehel Zero apologies needed, thanks for the PR! |
brew stylewith your changes locally?brew typecheckwith your changes locally?brew testswith your changes locally?POC changes to address some issues in auditing Casks, where we are failing some valid Casks.
This doc used as the source material for updating the checks. Based on it, the checks should be different where it is an app, a pkg, or a binary.
This is still not complete, as this will still fail some valid Casks (such as GitHub Desktop), and we need to implement (IMHO) some checking directly DMG's to check signature. But hopeful this kickstarts a conversation.