Fair question, but keep in mind the standard Brew install is piping a shell script from curl.

Yeah, off of an open source repository on github that the community can inspect. But here you are being asked to trust a binary from some developer out there.

That's the reason Apple added this signing feature. I'm just wondering if there's really a good reason for a developer to not follow it.

>Yeah, off of an open source repository on github that the community can inspect.

That doesn't make it better. What if your internet connection craps out while it's downloading the line "rm -rf /usr/local/bin/old-binary" and it happens to stop at "rm -rf /usr"?

Oops.

This is trivially fixable by wrapping the body of the script in a function which is invoked at the end. Homebrew's install script doesn't do this, but it's written in Ruby and all of the side-effecting statements are within a single block, so the worst that could happen is it could fail to print the message telling you that it's installed at the end.

Is it on a stream-and-run method of executing tasks? Surely it looks for an end-of-line or end-of-command terminator like "\n"

Curl will still pipe partials: http://blog.existentialize.com/dont-pipe-to-your-shell.html

That's so sketch and dangerous.

Of course if you'd looked at the web page you'd see that you can do exactly the same here.

https://github.com/brunophilipe/Cakebrew/releases/tag/v1.0.2

Why so condescending? I looked at the web page. The binary download is from cakebrew.com, not GitHub. You have to trust cakebrew.com.

Again, nobody has answered what the problem is with signing the installer. What gives?

You're saying that an Apple killswitch would be a good thing that users would want?

Yes, it is definitely a good feature. It's part of their security architecture. They figured out a way to allow developers complete freedom in distributing their software directly / outside of the App Store while still offering users protection against malware.

The point of the killswitch is to disable malicious software that someone tricked you into downloading off the internet and installing. That is the only thing it would be used for (and I'm not aware if it ever has.. maybe because it's a good deterrent).

It is not the same as the broader App Store approval guidelines. This is specifically for disabling malware, e.g. a bad actor tricking 10% of Hacker News into installing a malicious fork of brew.

I also want to make it clear I have no reason to believe this developer is anything but trustworthy. I just am curious why they decided not to sign it.

No, OP is saying installing an unsigned binary that is a package manager that has access to all of your system files is uncomfortable for some people.

I'd gladly fork it and replace it with a signed binary, but I'd want to ensure there isn't anything suspect in the project.

And seriously, I've never even heard of the kill switch being used for anything that wasn't malicious. Especially if it's not distorted in the Mac App Store.

Sorry, this was overly harsh on my part.

Isn't the benefit of this that Apple can't flip the kill switch if they get into a dispute with the developer?

If I paid for a piece of software that was rendered unusable a week later because the developer didn't check the right boxes on a form, or because someone lodged a trollish complaint with Apple, I'd be quite pissed.

That's only if it's in the Mac App Store. You can still sign an app (or in this case, a packaged script).

ETA: The malicious kill-switch obviously works on all apps, App Store or not -- but I'm unaware of any non-MAS app ever being "kill-switched" because of a customer dispute.