Check for App Management permissions before updating apps. by JBYoshi · Pull Request #15483 · Homebrew/brew (original) (raw)
- Have you followed the guidelines in our Contributing document?
- Have you checked to ensure there aren't other open Pull Requests for the same change?
- Have you added an explanation of what your changes do and why you'd like us to include them?
- Have you written new tests for your changes? Here's an example.
- Have you successfully run
brew stylewith your changes locally? - Have you successfully run
brew typecheckwith your changes locally? - Have you successfully run
brew testswith your changes locally?
macOS Ventura added new restrictions on apps being allowed to update other apps. In order for one app to update another, at least one of the following must be true:
- Both apps must be signed by the same developer
- The app being updated needs to explicitly allow the updater app
- The updater app needs to be granted "Full Disk Access" permission
- The updater app needs to be granted a new "App Management" permission
This didn't show up until #15138 was merged because prior to that, macOS considered Homebrew's app updates to be uninstalls and reinstalls, which discarded app data. Since #15138, macOS now recognizes that Homebrew is updating apps, so anyone who hasn't already granted the proper permissions to their terminal will get errors while copying the app files. This PR adds a check before app updates to ensure that the terminal has been granted permissions. If the terminal hasn't been granted permissions, Homebrew will exit and give the user instructions to grant their terminal the necessary permissions.
When setting up unit tests for this, I also moved the existing "upgrade properly handles non-writable directories" to a new group "when the directory is owned by root" to clarify the meaning and to better group the tests.
Fixes Homebrew/homebrew-cask#147383
Fixes Homebrew/homebrew-cask#147789
Fixes #15484