I have a stupid question about homebrew: Why are executables that I install via homebrew trusted by MacOS (gatekeeper)? i.e. after installation I can run an executable and don't get a security popup and don't have to allow an exception - why is that?
I initially thought that homebrew might sign/notarize the binaries in their CI, but looking at some random executables it doesn't look like they have a signature: spctl -a -v $(which <some-executable-installed-with-homebrew>).
edit: meaning executables installed from bottles (pre-compiled binaries, not source packages compiled on my local machine)
“Homebrew installs the stuff you need that Apple didn't” — this is how Homebrew creators describe it, and we agree. If you want a more informative definition, Homebrew is a free and open-source package manager for macOS, helping you install, update, uninstall, and manage developer tools like Python, Ruby, and Node.
By default, Homebrew will install all packages in the directory /usr/local/Cellar/ , and also creates symbolic links at /usr/local/opt/ and /usr/local/bin/ (for executable files).
Homebrew fills the void as the de facto package manager for macOS (and as another option for Linux). It provides an incredibly smooth and straightforward experience for anyone familiar with the command line, and it's a good way to learn the command line if you're new to it.
On Mac Intel machines, that's all you need to do; Homebrew is ready to use. On Mac Intel, Homebrew installs itself into the /usr/local/bin directory, which is already configured for access by the shell with the macOS default $PATH environment variable (the default is set by the /usr/libexec/path_helper command).
There is no quarantining flag for a CLI app downloaded with curl. Home-brew, uses UNIX core tools to download the bottles, and thus they don't have this flag set.
Next home-brew also ad-hoc signs binaries.
Don't confuse code sign with notarisation.
Notarisation is where Apple vouches for software signed with a dev cert private key.
They cannot notarise ad-hoc signed software (like home-brew bottles) by definition.
Now when my executable is NOT notarized it terminates with "Killed: 9", regardless if there's a quarantine attribute or not.
This is happening, I would speculate because the binary here isnt ad-hoc signed. Nothing to do with notarisation.
I bet you are on Apple Silicon right?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With