Homebrew could provide their own casks of FOSS applications, compiled on their infrastructure and signed by their key. It’s kinda what F-Droid does on phones.

Code signing should be done though.

You can disagree with Apple’s approach that maintains them as the only signing authority, but, at a fundamental level, code signing is the only way to distribute an executable and have the user be able to trust who authored it and what’s in it.

https://github.com/Homebrew/brew/issues/20755#issuecomment-3330984446

In the end, the whole point of Gatekeeper is to protect end users as much as reasonable, and continuing to make it easy to bypass isn’t a good thing in my view.

Whole point of Gatekeeper is Apple policing users’ devices. The security benefit is just a side effect. If anything, users need to be protected from Apple more than small time hackers.

This is a shame. Big tech brain is affecting developers everywhere.

Controversial opinion: best way to learn fire will burn you is to try and see. I personally learned a lot about computers by infecting my machine with a shitton of malware when I was a kid. Modern parents are very adamant on letting kids run free and learn stuff by themselves, why not apply the same logic to computers?

I don’t think this is homebrews fault? It looks like apps need to be signed to run on apple silicone.

But I thought Mac was just Linux for people who loved to spend money… Seems on brand to me.

I never understood what a “cask” in the brew lanuage means. I just do installs and if the brew install instructions involves a cask I just do it. How do I figure out which packages this will have an effect on on my system?

Heh, there goes Librewolf’s only sane updating mechanism. IIRC, the devs of that are vehemently against paying Apple the money to sign the code, and they also fail to provide their own updater. It was one of the main drivers behind my switch to Waterfox.

Of the like 30 things I have installed through brew, 1 is not signed. Do I agree with the change, no. But there are other options out there.

The unsigned (FOSS) Apps aren’t removed yet. They will be removed by 2026-09-01. Removing --no-quarantine before that seems counter productive. And quite frankly removing unsigned Apps at all seems like a stupid idea. Homebrew is a third party package mamager, why are they precapitulating to Apple?
Third party taps (or are they fourth party?) will step in. You can run xattr -d com.apple.quarantine in the .rb file.

Relevant links.

• Homebrew Github Discussion about unsigned app removal.
• How Freetube bypasses the issue in their own tap.

Their explanation as to why:

--no-quarantine is used to forcibly bypass Gatekeeper, which is a built-in macOS security mechanism. This is used to run unsigned/unnotarized applications.

macOS Tahoe is the final release to support Intel systems, and last year Apple updated macOS runtime protection to make it harder to override Gatekeeper. Macs with Apple silicon also don’t “permit native arm64 code to execute unless a valid signature is attached”. Finally, we are ending support for all casks that fail Gatekeeper checks on September 1st, 2026.

With the above in mind, it’s time to deprecate the --no-quarantine flag from brew. It intentionally bypasses macOS security mechanisms, which we already actively discourage. Deprecating now will give a decent lead time for users using it to come up with another solution or adjust their workflows.

Fuck homebrew mise cru for life now.

Et tu brewtus?

What does this mean?

Well, I’m pretty happy that I’ve moved most of my app downloads to a nix config I guess.

Seems like a bigger change than deserves to be buried in the changelog. I wonder what the intent here is.

What a shame. It’s probably my favorite tool on the platform.