removing macOS Gatekeeper bypass behaviours
dafuq? That's basically the entire point
So yeah, there will be a fork soon that's just compatible with the casks. Luckily that is very easily to do / manage
this post was submitted on 13 Nov 2025
246 points (95.9% liked)
Mildly Infuriating
43065 readers
186 users here now
Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that. Please post actually infuriating posts to !actually_infuriating@lemmy.world
I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!
It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.
Rules:
1. Be Respectful
Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.
Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.
...
2. No Illegal Content
Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.
That means: -No promoting violence/threats against any individuals
-No CSA content or Revenge Porn
-No sharing private/personal information (Doxxing)
...
3. No Spam
Posting the same post, no matter the intent is against the rules.
-If you have posted content, please refrain from re-posting said content within this community.
-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.
-No posting Scams/Advertisements/Phishing Links/IP Grabbers
-No Bots, Bots will be banned from the community.
...
4. No Porn/Explicit
Content
-Do not post explicit content. Lemmy.World is not the instance for NSFW content.
-Do not post Gore or Shock Content.
...
5. No Enciting Harassment,
Brigading, Doxxing or Witch Hunts
-Do not Brigade other Communities
-No calls to action against other communities/users within Lemmy or outside of Lemmy.
-No Witch Hunts against users/communities.
-No content that harasses members within or outside of the community.
...
6. NSFW should be behind NSFW tags.
-Content that is NSFW should be behind NSFW tags.
-Content that might be distressing should be kept behind NSFW tags.
...
7. Content should match the theme of this community.
-Content should be Mildly infuriating. If your post better fits !Actually_Infuriating put it there.
-The Community !actuallyinfuriating has been born so that's where you should post the big stuff.
...
8. Reposting of Reddit content is permitted, try to credit the OC.
-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.
...
...
Also check out:
Partnered Communities:
Reach out to LillianVS for inclusion on the sidebar.
All communities included on the sidebar are to be made in compliance with the instance rules.
founded 2 years ago
MODERATORS
Et tu brewtus?
Their explanation as to why:
--no-quarantineis used to forcibly bypass Gatekeeper, which is a built-in macOS security mechanism. This is used to run unsigned/unnotarized applications.macOS Tahoe is the final release to support Intel systems, and last year Apple updated macOS runtime protection to make it harder to override Gatekeeper. Macs with Apple silicon also don't "permit native arm64 code to execute unless a valid signature is attached". Finally, we are ending support for all casks that fail Gatekeeper checks on September 1st, 2026.
With the above in mind, it's time to deprecate the
--no-quarantineflag frombrew. It intentionally bypasses macOS security mechanisms, which we already actively discourage. Deprecating now will give a decent lead time for users using it to come up with another solution or adjust their workflows.
Deprecating now will give a decent lead time for users using it to come up with another solution or adjust their workflows.
The adjusted solution/workflow: use something other than homebrew
How will these other solutions bypass Apples quarantine?
By doing what homebrew currently does when you pass the --no-quarantine flag, which is call xattr.
Note that I'd probably support removing --no-quarantine if Apple's notarization service was free.
Notarisation, free (as in beer) limits your ability to run your code that (Corporate) doesn’t like, making it inherently non free (as in freedom).
Yes, but you can still compile the code yourself. It's only problematic for binary distribution. This is basically a question of balancing security vs. freedom I suppose.
load more comments
(2 replies)
I mean, theres macports and what else? Is macports even kickin still? No other package managers other than homebrew
Pretty sure it's still around. Nix is an option as well.
May be a sign to install Linux 😏 brew sucks anyways
True but I desperately need ~~no compatibility~~, ~~closed source~~, ~~AppleCare~~, ~~expensive hardware~~, ~~limited lifespan~~, ~~lock in~~ .... What did you call it Linux?
It's crazy how bad software compatibility on macos is. I used to assume it was about the same or slightly better than linux in that regard, but my attempts to help my friend play games on macos have almost entirely failed despite the fact that I have tons of experience playing games on linux since it's always been my main os
I'm stuck with it at work. Plus Linux usually sucks on Mac for a long time while drivers get written
MacPorts has always been better.
Mise baby.
Put your money where your mouth is and donate to Asahi Linux.
I'll check It out. I gave up and flashed Mac back on it and gave I to my sister. At least she's off windows now.
Only pc I have that I can do any thing with is a Thinkpad with linux
load more comments
(3 replies)
If Brew sucks, why is it the preferred package manager for CLI tools in Bazzite?
I don't use Bazzite. But if you have any pro arguments for Brew, feel free to share them. Change my mind.
I don’t really have an opinion, just an observation that switching back to Linux for me did not take me away from Homebrew
Heh, there goes Librewolf's only sane updating mechanism. IIRC, the devs of that are vehemently against paying Apple the money to sign the code, and they also fail to provide their own updater. It was one of the main drivers behind my switch to Waterfox.
load more comments
(2 replies)
But I thought Mac was just Linux for people who loved to spend money... Seems on brand to me.
*Unix
**BSD
Both
That's why I buy Macs! /hj (Though I do install and use Arch BTW on my M2 MacBook Air)
load more comments
(2 replies)
The unsigned (FOSS) Apps aren't removed yet. They will be removed by 2026-09-01. Removing --no-quarantine before that seems counter productive. And quite frankly removing unsigned Apps at all seems like a stupid idea. Homebrew is a third party package mamager, why are they precapitulating to Apple?
Third party taps (or are they fourth party?) will step in. You can run xattr -d com.apple.quarantine in the .rb file.
Relevant links.
- Homebrew Github Discussion about unsigned app removal.
- How Freetube bypasses the issue in their own tap.
I don't think this is homebrews fault? It looks like apps need to be signed to run on apple silicone.
Yes and no. Yes, it has to be signed, but no, it doesn't have to be Apple's signing, it can be ad-hoc signed for the device programmatically. What they're doing is that removing that ability to remove quarantine bits and ad-hoc signing ~~on installation~~ and forcing everything to be Apple-signed.
EDIT: Ad-hoc signing is compile-time. Quarantine bit just has to be removed at install-time.
https://github.com/Homebrew/brew/issues/20755#issuecomment-3330984446
In the end, the whole point of Gatekeeper is to protect end users as much as reasonable, and continuing to make it easy to bypass isn't a good thing in my view.
Whole point of Gatekeeper is Apple policing users’ devices. The security benefit is just a side effect. If anything, users need to be protected from Apple more than small time hackers.
This is a shame. Big tech brain is affecting developers everywhere.
Controversial opinion: best way to learn fire will burn you is to try and see. I personally learned a lot about computers by infecting my machine with a shitton of malware when I was a kid. Modern parents are very adamant on letting kids run free and learn stuff by themselves, why not apply the same logic to computers?
What a shame. It’s probably my favorite tool on the platform.
I never understood what a "cask" in the brew lanuage means. I just do installs and if the brew install instructions involves a cask I just do it. How do I figure out which packages this will have an effect on on my system?
Casks are as a rule GUI applications. So if you want to install Firefox with homebrew would need to install it via a cask.
brew list --cask
I think they've started flagging unnotarized apps as (deprecated), so maybe do a brew info on each.
You can simply run brew doctor and it will show you all deprecated casks.
Cool beans 👏
What does this mean?
Apps have to be signed to be installed.
You can still install and run them but you need to manually him through the startup hoops once
if you use a Mac git gud.
Well, I’m pretty happy that I’ve moved most of my app downloads to a nix config I guess.
Seems like a bigger change than deserves to be buried in the changelog. I wonder what the intent here is.
Homebrew could provide their own casks of FOSS applications, compiled on their infrastructure and signed by their key. It's kinda what F-Droid does on phones.
Code signing should be done though.
You can disagree with Apple's approach that maintains them as the only signing authority, but, at a fundamental level, code signing is the only way to distribute an executable and have the user be able to trust who authored it (and thus what's in it).
Fuck homebrew mise cru for life now.
Of the like 30 things I have installed through brew, 1 is not signed. Do I agree with the change, no. But there are other options out there.
view more: next ›