Homebrew no longer allows bypassing Gatekeeper for unsigned/unnotarized software

Original Article ↗ Hacker News Discussion ↗

Scope of the Homebrew Change

  • Change only affects macOS, not Linux (no codesigning/notarization there).
  • It targets casks (prebuilt .app bundles, dmg/pkg installers), not formulae or bottles.
  • Building from source and using Homebrew’s own binaries for CLI tools is unchanged.
  • --no-quarantine is being deprecated/removed; Homebrew will stop clearing the com.apple.quarantine attribute for casks and move toward requiring all official casks to pass Gatekeeper (signed + notarized).

Gatekeeper, Quarantine, and Apple Silicon

  • Gatekeeper is triggered by the quarantine xattr set on downloads (browser or Homebrew). Removing it used to let unsigned apps run after one approval.
  • On Apple Silicon, the kernel requires a signature, but an ad‑hoc signature (no Apple identity) is enough to run; Gatekeeper then behaves similarly to unsigned Intel binaries.
  • --no-quarantine is already largely ineffective on ARM; Intel support is ending, so maintainers don’t want to keep chasing Gatekeeper bypasses.

Impact on Software and Workflows

  • Unsigned/not-notarized GUI apps installed via official casks (e.g. LibreWolf, FreeTube, Alacritty, some database GUIs) will no longer “just work”: users must approve them manually or clear quarantine themselves after each update.
  • Some tools used Homebrew casks as a convenient alternative to the Mac App Store; that advantage shrinks.
  • Developers of open‑source apps are reluctant to pay $99/year and expose legal identity for Apple’s signing/notarization, so many projects won’t comply.

Workarounds and Alternatives

  • Users can still:
    • Manually clear quarantine (xattr -dr com.apple.quarantine …) or automate it (e.g. small services that watch folders).
    • Disable Gatekeeper entirely (spctl --master-disable), at the cost of global checks.
    • Use custom taps that clear quarantine in postinstall.
  • Alternatives mentioned: MacPorts, Nix/nix‑darwin, pkgsrc, Fink, asdf/mise, Spack; some people already rely on Homebrew only for casks and other tools for CLI.

Reactions to Homebrew’s and Apple’s Direction

  • Many see this as Homebrew aligning with Apple’s tightening ecosystem and abandoning power‑user freedom; others welcome stricter curation for security.
  • Strong criticism of Homebrew maintainers’ communication style (issue locking, perceived hostility, “not pro‑grade”), alongside defenses that the issue tracker is for work, not policy debate.
  • Broader worries about “boiling frog” lockdown on macOS vs praise that Gatekeeper remains disable‑able; several commenters plan or have already switched to Linux.