Module: Cask::Quarantine Private

Extended by:
SystemCommand::Mixin, Utils::Output::Mixin
Defined in:
cask/quarantine.rb

Overview

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Helper module for quarantining files.

Defined Under Namespace

Classes: SigningIdentity

Constant Summary collapse

QUARANTINE_ATTRIBUTE =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"com.apple.quarantine"
USER_APPROVED_FLAG =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

https://github.com/apple-oss-distributions/WebKit/blob/WebKit-7618.2.12.11.6/Source/WebCore/PAL/pal/spi/mac/QuarantineSPI.h#L40-L45

0x0040
QUARANTINE_SCRIPT =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

T.let((HOMEBREW_LIBRARY_PATH/"cask/utils/quarantine.swift").freeze, Pathname)
COPY_XATTRS_SCRIPT =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

T.let((HOMEBREW_LIBRARY_PATH/"cask/utils/copy-xattrs.swift").freeze, Pathname)

Class Method Summary collapse

Methods included from SystemCommand::Mixin

system_command, system_command!

Methods included from Utils::Output::Mixin

issue_reporting_message, odebug, odeprecated, odie, odisabled, ofail, oh1, oh1_title, ohai, ohai_title, onoe, opoo, opoo_outside_github_actions, opoo_without_github_actions_annotation, pretty_deprecated, pretty_disabled, pretty_duration, pretty_install_status, pretty_installed, pretty_uninstalled, pretty_unmarked, pretty_upgradable, pretty_warning

Class Method Details

.app_management_permissions_granted?(app:, command:) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Ensures that Homebrew has permission to update apps on macOS Ventura. This may be granted either through the App Management toggle or the Full Disk Access toggle. The system will only show a prompt for App Management, so we ask the user to grant that.

Parameters:

Returns:

  • (Boolean)


321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
# File 'cask/quarantine.rb', line 321

def self.app_management_permissions_granted?(app:, command:)
  return true unless app.directory?

  # To get macOS to prompt the user for permissions, we need to actually attempt to
  # modify a file in the app.
  test_file = app/".homebrew-write-test"

  # We can't use app.writable? here because that conflates several access checks,
  # including both file ownership and whether system permissions are granted.
  # Here we just want to check whether sudo would be needed.
  looks_writable_without_sudo = if app.owned?
    app.lstat.mode.anybits?(0200)
  elsif app.grpowned?
    app.lstat.mode.anybits?(0020)
  else
    app.lstat.mode.anybits?(0002)
  end

  if looks_writable_without_sudo
    begin
      File.write(test_file, "")
      test_file.delete
      return true
    rescue Errno::EACCES, Errno::EPERM
      # Using error handler below
    end
  else
    begin
      command.run!(
        "touch",
        args:         [
          test_file,
        ],
        print_stderr: false,
        sudo:         true,
      )
      command.run!(
        "rm",
        args:         [
          test_file,
        ],
        print_stderr: false,
        sudo:         true,
      )
      return true
    rescue ErrorDuringExecution => e
      # We only want to handle "touch" errors here; propagate "sudo" errors up
      raise e unless e.stderr.include?("touch: #{test_file}: Operation not permitted")
    end
  end

  # Allow undocumented way to skip the prompt.
  if ENV["HOMEBREW_NO_APP_MANAGEMENT_PERMISSIONS_PROMPT"]
    opoo <<~EOF
      Your terminal does not have App Management permissions, so Homebrew will delete and reinstall the app.
      This may result in some configurations (like notification settings or location in the Dock/Launchpad) being lost.
      To fix this, go to System Settings → Privacy & Security → App Management and add or enable your terminal.
    EOF
  end

  false
end

.available?Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

  • (Boolean)


113
114
115
116
117
# File 'cask/quarantine.rb', line 113

def self.available?
  @quarantine_support ||= T.let(check_quarantine_support, T.nilable([Symbol, T.nilable(String)]))

  @quarantine_support[0] == :quarantine_available
end

.cask!(cask: nil, download_path: nil, action: true) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

  • cask (Cask, nil) (defaults to: nil)
  • download_path (Pathname, nil) (defaults to: nil)
  • action (Boolean) (defaults to: true)


226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
# File 'cask/quarantine.rb', line 226

def self.cask!(cask: nil, download_path: nil, action: true)
  return if cask.nil? || download_path.nil?

  return if detect(download_path)

  odebug "Quarantining #{download_path}"

  swift = self.swift
  raise "unexpected nil swift" if swift.nil?

  quarantiner = system_command(swift,
                               args:         [
                                 *swift_target_args,
                                 QUARANTINE_SCRIPT,
                                 download_path,
                                 cask.url.to_s,
                                 cask.homepage.to_s,
                               ],
                               print_stderr: false)

  return if quarantiner.success?

  case quarantiner.exit_status
  when 2
    raise CaskQuarantineError.new(download_path, "Insufficient parameters")
  else
    raise CaskQuarantineError.new(download_path, quarantiner.stderr)
  end
end

.check_quarantine_supportArray<(Symbol, [String, nil])>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# File 'cask/quarantine.rb', line 66

def self.check_quarantine_support
  odebug "Checking quarantine support"

  check_output = nil
  swift = self.swift
  status = if !xattr_available?
    odebug "There's no working version of `xattr` on this system."
    :xattr_broken
  elsif swift.nil?
    odebug "Swift is not available on this system."
    :no_swift
  else
    api_check = system_command(swift,
                               args:         [*swift_target_args, QUARANTINE_SCRIPT],
                               print_stderr: false)

    exit_status = api_check.exit_status
    check_output = api_check.merged_output.to_s.strip
    error_output = api_check.stderr.to_s.strip

    case exit_status
    when 2
      odebug "Quarantine is available."
      :quarantine_available
    when 1
      # Swift script ran but failed (likely due to CLT issues)
      odebug "Swift quarantine script failed: #{error_output}"
      if error_output.include?("does not exist") || error_output.include?("No such file")
        :swift_broken_clt
      elsif error_output.include?("compiler") || error_output.include?("SDK")
        :swift_compilation_failed
      else
        :swift_runtime_error
      end
    when 127
      # Command not found or execution failed
      odebug "Swift execution failed with exit status 127"
      :swift_not_executable
    else
      odebug "Swift returned unexpected exit status: #{exit_status}"
      :swift_unexpected_error
    end
  end
  [status, check_output]
end

.copy_xattrs(from, to, command:) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:



299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
# File 'cask/quarantine.rb', line 299

def self.copy_xattrs(from, to, command:)
  odebug "Copying xattrs from #{from} to #{to}"

  swift = self.swift
  raise "unexpected nil swift" if swift.nil?

  command.run!(
    swift,
    args: [
      *swift_target_args,
      COPY_XATTRS_SCRIPT,
      from,
      to,
    ],
    sudo: !to.writable?,
  )
end

.detect(file) ⇒ Boolean?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean, nil)


120
121
122
123
124
125
126
127
128
129
130
# File 'cask/quarantine.rb', line 120

def self.detect(file)
  return if file.nil?

  odebug "Verifying Gatekeeper status of #{file}"

  quarantine_status = !status(file).empty?

  odebug "#{file} is #{quarantine_status ? "quarantined" : "not quarantined"}"

  quarantine_status
end

.inherit_user_approval!(download_path: nil) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

  • download_path (Pathname, nil) (defaults to: nil)

Raises:



153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# File 'cask/quarantine.rb', line 153

def self.inherit_user_approval!(download_path: nil)
  return if !download_path || !detect(download_path)

  # Preserve quarantine provenance so Gatekeeper still checks the upgraded app while carrying forward
  # the user's approval only after the upgrade path verifies that its signing identity is unchanged.
  # https://developer.apple.com/forums/thread/706442
  odebug "Inheriting user approval for #{download_path}"

  xattr = self.xattr
  raise "unexpected nil xattr" if xattr.nil?

  quarantiner = system_command(xattr,
                               args:         [
                                 "-w",
                                 QUARANTINE_ATTRIBUTE,
                                 status(download_path).sub(/\A[0-9a-f]+/i) do |flags|
                                   (flags.to_i(16) | USER_APPROVED_FLAG).to_s(16).rjust(flags.length, "0")
                                 end,
                                 download_path,
                               ],
                               print_stderr: false)

  return if quarantiner.success?

  raise CaskQuarantineReleaseError.new(download_path, quarantiner.stderr)
end

.propagate(from: nil, to: nil) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

Raises:



257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
# File 'cask/quarantine.rb', line 257

def self.propagate(from: nil, to: nil)
  return if from.nil? || to.nil?

  raise CaskError, "#{from} was not quarantined properly." unless detect(from)

  odebug "Propagating quarantine from #{from} to #{to}"

  quarantine_status = toggle_no_translocation_bit(status(from))

  resolved_paths = Pathname.glob(to/"**/*", File::FNM_DOTMATCH).reject(&:symlink?)

  system_command!("/usr/bin/xargs",
                  args:  [
                    "-0",
                    "--",
                    "chmod",
                    "-h",
                    "u+w",
                  ],
                  input: resolved_paths.join("\0"))

  xattr = self.xattr
  raise "unexpected nil xattr" if xattr.nil?

  quarantiner = system_command("/usr/bin/xargs",
                               args:         [
                                 "-0",
                                 "--",
                                 xattr,
                                 "-w",
                                 QUARANTINE_ATTRIBUTE,
                                 quarantine_status,
                               ],
                               input:        resolved_paths.join("\0"),
                               print_stderr: false)

  return if quarantiner.success?

  raise CaskQuarantinePropagationError.new(to, quarantiner.stderr)
end

.release!(download_path: nil) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Fully remove quarantine only when explicitly requested; upgrades preserve it and inherit approval above.

Parameters:

  • download_path (Pathname, nil) (defaults to: nil)

Raises:



204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
# File 'cask/quarantine.rb', line 204

def self.release!(download_path: nil)
  return if !download_path || !detect(download_path)

  odebug "Releasing #{download_path} from quarantine"

  xattr = self.xattr
  raise "unexpected nil xattr" if xattr.nil?

  quarantiner = system_command(xattr,
                               args:         [
                                 "-d",
                                 QUARANTINE_ATTRIBUTE,
                                 download_path,
                               ],
                               print_stderr: false)

  return if quarantiner.success?

  raise CaskQuarantineReleaseError.new(download_path, quarantiner.stderr)
end

.signing_identity(_file) ⇒ SigningIdentity?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



181
# File 'cask/quarantine.rb', line 181

def self.signing_identity(_file); end

.signing_identity_match(_file, _identity) ⇒ Boolean?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean, nil)


187
# File 'cask/quarantine.rb', line 187

def self.signing_identity_match(_file, _identity); end

.status(file) ⇒ String

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



133
134
135
136
137
138
139
140
# File 'cask/quarantine.rb', line 133

def self.status(file)
  xattr = self.xattr
  raise "unexpected nil xattr" if xattr.nil?

  system_command(xattr,
                 args:         ["-p", QUARANTINE_ATTRIBUTE, file],
                 print_stderr: false).stdout.rstrip
end

.toggle_no_translocation_bit(attribute) ⇒ String

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



190
191
192
193
194
195
196
197
198
199
200
# File 'cask/quarantine.rb', line 190

def self.toggle_no_translocation_bit(attribute)
  fields = attribute.split(";")

  # Fields: status, epoch, download agent, event ID
  # Let's toggle the app translocation bit, bit 8
  # http://www.openradar.me/radar?id=5022734169931776

  fields[0] = (fields.fetch(0).to_i(16) | 0x0100).to_s(16).rjust(4, "0")

  fields.join(";")
end

.user_approved?(file) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean)


143
144
145
146
147
148
149
150
# File 'cask/quarantine.rb', line 143

def self.user_approved?(file)
  return false if xattr.nil?

  quarantine_status = status(file)
  return false if quarantine_status.empty?

  quarantine_status.split(";").fetch(0).to_i(16).anybits?(USER_APPROVED_FLAG)
end

.xattr_available?Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

  • (Boolean)


52
53
54
55
56
57
# File 'cask/quarantine.rb', line 52

def self.xattr_available?
  xattr = self.xattr
  return false if xattr.nil?

  system_command(xattr, args: ["-h"], print_stderr: false).success?
end