why are executables installed with homebrew trusted on MacOS?

1.6k views Asked by At

I have a stupid question about homebrew: Why are executables that I install via homebrew trusted by MacOS (gatekeeper)? i.e. after installation I can run an executable and don't get a security popup and don't have to allow an exception - why is that?

I initially thought that homebrew might sign/notarize the binaries in their CI, but looking at some random executables it doesn't look like they have a signature: spctl -a -v $(which <some-executable-installed-with-homebrew>).

edit: meaning executables installed from bottles (pre-compiled binaries, not source packages compiled on my local machine)

1

There are 1 answers

0
Woodstock On BEST ANSWER

There is no quarantining flag for a CLI app downloaded with curl. Home-brew, uses UNIX core tools to download the bottles, and thus they don't have this flag set.

Next home-brew also ad-hoc signs binaries.

Don't confuse code sign with notarisation.

Notarisation is where Apple vouches for software signed with a dev cert private key.

They cannot notarise ad-hoc signed software (like home-brew bottles) by definition.

Now when my executable is NOT notarized it terminates with "Killed: 9", regardless if there's a quarantine attribute or not.

This is happening, I would speculate because the binary here isnt ad-hoc signed. Nothing to do with notarisation.

I bet you are on Apple Silicon right?