I don't understand what this means, although I've read the whole thread. Does this mean people won't be able to use Homebrew to compile software from source (and run it)? Does it mean that they'll be able to use Homebrew to compile software from source, but not download prebuilt binaries (and run them)? Does it mean that they'll be able to download prebuilt binaries, but only run them if they're built by a developer that Apple has blessed?

I do understand that the effect is only to make Intel Macs adopt the same behavior ARM64 Macs already had, but I don't understand what that behavior is.

I see that someone named andrewmcwatters has posted a [dead] reply to my comment that doesn't answer my questions, just repeating the same jargon from the bug report that I don't know the meaning of.

▲ woodruffw 9 hours ago | parent | next [-]

> Does this mean people won't be able to use Homebrew to compile software from source (and run it)? Does it mean that they'll be able to use Homebrew to compile software from source, but not download prebuilt binaries (and run them)?

No, and no. This only affects Casks, which are prebuilt .app bundles that Homebrew has no part in building (either locally or remotely). Formulae (source builds) and bottles (builds of formulae within Homebrew) are not directly affected by any of this.

▲

kragen 8 hours ago | parent [-]

Can any random person build things from source, or do they need to be blessed by Apple?

▲

woodruffw 8 hours ago | parent | next [-]

The answer to this is nuanced because of how it works, but the short answer is yes: you can build random things from source and run them, and you can download random binaries from the internet and run them. The only thing that Homebrew itself is changing is that it no longer provides an automatic way to lift the quarantine bit from a specific subset of binary packages (casks).

	▲	kragen 8 hours ago \| parent [-]
		I see, thanks!

▲

dalenw 8 hours ago | parent | prev [-]

For Mac, yes and no. IIRC you don't need a developer's license to build and sign software for yourself. But you do need one to distribute pre-built software.

▲

watermelon0 8 hours ago | parent [-]

You can still run unsigned software, but you need to approve 2? prompts, and also allow exception for every executable by going to Privacy & Security tab in settings.

IIRC there is a CLI command for achieving the same.

▲

saagarjha 5 hours ago | parent [-]

You can’t run unsigned software on Apple silicon. Note that when you build your software if you use Apple’s tools it will inject an ad-hoc signature into the product.

▲

kragen 5 hours ago | parent [-]

That seems like it would interfere with reproducible builds.

	▲	saagarjha 5 hours ago \| parent [-]
		The signature that gets added is vaguely a hash of the binary. You probably want to look at the UUID that gets injected into your binary instead of this.

▲ probably_wrong 8 hours ago | parent | prev | next [-]

This is my understanding after a moderate dive into the issue.

Binaries in macOS have a signature and a set of flags. One of those flags is the "quarantine" flag that, when set, refuses to run your binary until some extra security checks have been performed (checking against a malware database, asking the user for consent, etc). Once this check is done, the flag is unset.

Usually this flag has to be set by the app you use to download the binary - in most cases it would be the web browser, but here it would be Homebrew. They used to provide a --no-quarantine flag to prevent this bit from being set, but given some changes both in macOS and in the Homebrew project it's been decided to stop offering that option. You can still unset the flag by hand, no root required, but that's on you as a user.

I believe this is a strong nudge in the direction of "for a user-friendly experience you should sign your binaries", but not a full ban.

	▲	superkuh 8 hours ago \| parent [-]
		Or more explicitly, "for a user-friendly experience you should pay apple and ask them please to sign your binaries every year"

▲ shevy-java 9 hours ago | parent | prev | next [-]

I don't know either (right now). They closed the discussion, so they don't want people to talk about it.

Perhaps someone with more information will chime in, who isn't a homebrew maintainer.

▲ tom_ 8 hours ago | parent | prev | next [-]

There'll be some way to make it work, possibly indeed that the Homebrew people get approved by Apple, because MacPorts works ok, and it seems to be downloading precompiled binaries (and if it isn't, then my Mac is actually faster than I've ever seen it run). And if MacPorts can do it, presumably Homebrew can do it too.

Building stuff yourself remains an option, even if you're unapproved. The toolchain pops the codesign step in at some point, I guess, and if you built it locally then you can run it locally. I just did cc -o on some bit of code on an Apple Silicon Mac, and the resulting binary did run.

(You can also run binaries that unapproved people built on other systems, but it's a minor pain, as you have to explicitly opt in to allowing each runnable file to run.)

▲ woodruffw 8 hours ago | parent | next [-]

MacPorts and Homebrew behave identically here: precompiled binaries are not affected, only .app (and similar) bundles.

(People find this confusing, because Homebrew does a superset of what MacPorts does: it distributes both source/binary packages and it distributes "casks", which are essentially a CLI-friendly version of the App Store and come with macOS's additional restrictions on applications. This only affects casks.)

	▲	saagarjha 5 hours ago \| parent [-]
		The hierarchy is actually a little more complicated than this. MacPorts can and does build open source GUI apps (in fact it largely rejects binaries for them, preferring to build them directly). Homebrew rejects GUI apps from being built from source. Because Homebrew downloads apps from the internet, it makes them with the quarantine attribute, which means more apps that it handles will be flagged by Gatekeeper.

▲ kragen 8 hours ago | parent | prev [-]

I see, thanks! Is cc installed by default? I remember when my ex-wife had a Mac she had to sign up for Apple's developer program to get compilers installed.

▲ pyth0 8 hours ago | parent | next [-]

You don't need to sign up for a developer program, or even download the full Xcode IDE. You do need to install the compiler tools with

  xcode-select --install

	▲	kragen 8 hours ago \| parent [-]
		I see, thanks! That clarifies things a lot.

▲ justincormack 8 hours ago | parent | prev | next [-]

You dint have to join the dev program but you have to installl it.

▲ tom_ 8 hours ago | parent | prev [-]

No idea what you get out of the box, or what /usr/bin/cc actually is and does, but it looks like the underlying compiler is the clang that came with Xcode, which I installed from the app store. I do have an Apple account, but I don't think it's signed up to Apple's developer program... at least, probably not? I'm not paying them for this, anyway.

▲ jiehong 8 hours ago | parent | prev | next [-]

Like you won’t be able to install clickhouse from homebrew for as long as clickhouse produce unsigned binaries.

It’s the only one affected that I currently use.

▲ omcnoe 8 hours ago | parent | prev | next [-]

All it means is that applications downloaded/installed via Homebrew will no longer be able to bypass the Gatekeeper signing/notarization requirement on Intel platforms (already is the case on Arm).

If you didn't need to install a cask with this flag before you won't be impacted by the deprecation.

▲ andrewmcwatters 9 hours ago | parent | prev [-]

Casks won’t be able to bypass Gatekeeper, so now you can’t launch .apps from brew that aren’t notarized.

So, you might as well just use the App Store.

	▲	zeckalpha 4 hours ago \| parent [-]
		Brew Casks are quite different from the App Store, but there is a CLI for the App Store if you want that: https://github.com/mas-cli/mas