Request: Can we sign the Mac app?

[execat]

Hi, awesome project, I've played it with countless hours (more than I'd like to admit)

I was trying to make installation of StemRoller easier on Mac using brew. However, homebrew/homebrew-cask has stopped taking MRs for projects that don't have a signed app:

$ brew audit --new-cask stemroller
:
audit for stemroller: failed
 - Signature verification failed:
/private/tmp/d20220916-62803-f13aen/StemRoller.app: code object is not signed at all
In architecture: x86_64

macOS on ARM requires applications to be signed. Please contact the upstream developer to let them know they should sign their app.
Error: 1 problem in 1 cask detected

Example: https://github.com/Homebrew/homebrew-cask/pull/131229#issuecomment-1242535438 (read that and the next comment)

I don't have an ARM Mac but the downside seems quite significant:

Please contact the upstream developer and ask them to codesign their application. Otherwise this will prevent the application from running on Apple Silicon machines without disabling Gatekeeper (which is not ideal).

Is this something that will take a non-significant amount of work? I think the returns on getting this done (Just a brew install --cask stemroller as opposed to the current method) will help a lot.

[iffyloop]

I hadn't thought of making StemRoller available via brew before but that sounds like a great idea! Unfortunately, I'm not enrolled with an Apple Developer ID so I can't get a certificate that will bypass Gatekeeper. If I purchase a developer ID then it should be possible, but requires additional work to automate the signing process via GitHub Actions. I'll look into this in the future as I have been wanting to be able to sign apps for a while...

[execat]

Sounds good. Just tag me and reply here when you are ready. This is my formula as of now, someone else may also be able to take this and edit it a bit:

cask "stemroller" do
  version "1.1.1"
  sha256 "db18511d01eb32ec80974a0994ecabadca601e041292ddc8cc9cb6e74892aafd"

  url "https://github.com/stemrollerapp/stemroller/releases/download/#{version}/stemroller-#{version}-mac.zip",
      verified: "github.com/stemrollerapp/stemroller/"
  name "StemRoller"
  desc "Isolate vocals, drums, bass, and other instrumental stems from any song"
  homepage "https://www.stemroller.com/"

  app "StemRoller.app"

  zap trash: [
    "~/Library/Application Support/stemroller",
    "~/Library/Preferences/com.stemroller.stemroller.plist",
    "~/Library/Saved Application State/com.stemroller.stemroller.savedState",
  ]
end

[iffyloop]

Just getting around to managing all these old open issues. I'm not ready to purchase an Apple Developer ID yet, but I'll leave this issue open in case that happens at some point in the future (brew is a great tool and I'd really like to support it if possible!) In the meantime, if anyone else wants to officially maintain a StemRoller formula for brew and sign the binary themselves then that would be great. Thanks execat for sharing your formula here; this gets us started in the right direction for the future.

[iffyloop]

@execat can you use xattr -dr com.apple.quarantine /path/to/stemroller/download/directory in that script to clear the Gatekeeper quarantine flags, or is this different than the usual notarization requirement?

[execat]

@iffyloop Yes, that would work, but for it to be accepted in the official Brew Cask repo (ie, allow people to do a simple brew install --cask stemroller) this would not work. Brew cask repo only accepts signed apps.

[iffyloop]

Ahh I see... thanks for letting me know. Unfortunately I'm not planning to purchase an Apple Developer ID anytime soon, so won't be able to notarize StemRoller. Thank you for your interest though, appreciate you wanting to make it available to more Brew users. I have had issues with chromedriver via Brew in the past, in which it was quarantined - do you know why this one is allowed in the Brew repos? Or is it accepted because they don't forcefully remove the quarantine flag?