New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should the Ghidra cask be removed due to quarantine issues? #170345
Comments
I don't think we should persist flags like this because that disable security features.
Moving to homebrew-cask and CC @Homebrew/cask for discussion. My position: if literally nothing in this cask works at all for anyone without If some features are still useful without: it should stay, perhaps with some |
I am not in favor of this. I'm actually not even a fan of If the cask doesn't work without |
I agree with this. I would also like to see us remove I think @p-linnane and I are aligned but others may not be: it depends on the definition of "work". Some people claim a given formula/cask "does not work" or "is broken" if any single feature is broken in any configurations. Personally, I consider it to mean "the core functionality is broken for the majority of users on supported platforms". It is unclear to me which side this specific cask falls into. |
A good example of a 'broken' cask is |
It's broken for me. I open a file in the CodeBrowser and start getting repeated Gatekeeper errors. Symbols are not demangled and the decompilation panel displays an error instead of the decompilation. I don't know if there are other workflows that people do in Ghidra where they wouldn't be affected. Maybe if you're looking at hand-written executables there is no symbol mangling and you just want to view the disassembly instead of decompilation? I was making sure I wasn't missing something with installation and kept finding stuff like this:
Of course, if somebody installed and it just worked, they wouldn't be searching for or posting solutions online, so I wouldn't be finding many pages saying "I installed it and it just worked," but it seems like a common problem that it doesn't work. |
I agree with this, but if we are to remove However, if we end up deprecating the flag and we keep unsigned casks, we'll be in a weird situation where we distribute casks we know will not work for most people, while disabling any functionality on the homebrew side to make it work. Again, I think the solution should be increasing the security posture and deprecating |
Agreed. We haven't been accepting new casks that aren't code-signed for quite a while. If we can effectively look back and see what still exists, it would be great.
Yes, agreed here.
We can do this in a minor release, don't need to wait for a major one. |
The codesigning audit is currently only applied with the |
Agreed! 👍
I would support enabling this all the time, for the existing casks. It would be good to see the metrics for how many software have come in that are broken. I broadly agree with everything above, with a few thoughts
|
Also agreed.
Yes, I think that's probably the best course of action now we've verified it's working nicely. |
@matt-phylum FWIW, I have an unofficial tap for unsigned casks. If you're concerned about Ghidra's removal, feel free to install it from my tap: https://github.com/p-linnane/homebrew-cask-unsigned |
What happen to the unsigned casks in the custom tap if |
They will also be deprecated, disabled and eventually removed. These casks are broken on Apple Silicon anyway which is the majority platform for us at this point. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Verification
brew install wget
. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.Provide a detailed description of the proposed feature
Homebrew should remember when casks are installed with
--no-quarantine
so it doesn't reenable quarantine when upgrading them. As it is, the--no-quarantine
option is not very usable.What is the motivation for the feature?
The Ghidra project does not codesign important components of Ghidra (NationalSecurityAgency/ghidra#1559 (comment)). In practice, this means when you
brew install --cask ghidra
(https://formulae.brew.sh/cask/ghidra), you get a broken version of Ghidra which can't be used for binary analysis.There is no real solution. Either you circumvent Gatekeeper by removing the quarantine attributes from the shipped binaries, or you circumvent Gatekeeper by building your own binaries without the quarantine attribute (by running unsigned scripts to build unsigned source code that is equally as trustworthy as the precompiled binaries).
The Homebrew project will not circumvent Gatekeeper in the cask (#169538 (comment)).
As a workaround, you can install the package with
brew install --no-quarantine ghidra
(#137489 (comment)). However, Homebrew forgets that it's supposed to use--no-quarantine
as soon as the installation completes. After a few weeks,brew upgrade
breaks Ghidra, and attempting to open a new file in Ghidra results in repeated error dialogs from Mac OS telling you that you aren't allowed to run those executables and broken Ghidra functionality.Homebrew does record
--appdir
,--keyboard-layoutdir
,--colorpickerdir
, etc into.metadata/config.json
, but it does not record--no-quarantine
.How will the feature be relevant to at least 90% of Homebrew users?
This is relevant to nearly 100% of users of similarly broken casks, but this is the only one I know of.
What alternatives to the feature have been considered?
If this feature is not added, the Ghidra cask should be removed because it does not work. Maybe it could be replaced with a Ghidra formula because formulas turn unsigned source code into executable code without being constrained by Gatekeeper.
The text was updated successfully, but these errors were encountered: