I have a stupid question about homebrew: Why are executables that I install via homebrew trusted by MacOS (gatekeeper)? i.e. after installation I can run an executable and don't get a security popup and don't have to allow an exception - why is that?
I initially thought that homebrew might sign/notarize the binaries in their CI, but looking at some random executables it doesn't look like they have a signature: spctl -a -v $(which <some-executable-installed-with-homebrew>)
.
edit: meaning executables installed from bottles (pre-compiled binaries, not source packages compiled on my local machine)
There is no quarantining flag for a CLI app downloaded with curl. Home-brew, uses UNIX core tools to download the bottles, and thus they don't have this flag set.
Next home-brew also ad-hoc signs binaries.
Don't confuse code sign with notarisation.
Notarisation is where Apple vouches for software signed with a dev cert private key.
They cannot notarise ad-hoc signed software (like home-brew bottles) by definition.
This is happening, I would speculate because the binary here isnt ad-hoc signed. Nothing to do with notarisation.
I bet you are on Apple Silicon right?