Add notes about cask and quarantine issues with MacOS

[joshuataylor]

I forget about this every time. Should also help with search engines, as the error is pretty common.

Thanks MacOS 🤦

[wez]

What I would expect here is just a warning that you downloaded something from the internet.
wezterm is signed; if are you seeing a warning that the package you are installing is not signed or not verifiable then something has gone wrong somewhere and you should not use the package.

[joshuataylor]

I received this when installing nightly, is nightly not signed or is that a generic warning of when you install something via the internet?

Happy to test further on a clean machine if needed. 👍

[wez]

all builds of wezterm produced by my CI on macOS are signed using my developer identity. Please share the wording from the message that you see when you don't use the quarantine option.

[joshuataylor]

Without:

“WezTerm” is an app downloaded from the Internet. Are you sure you want to open it?

Homebrew Cask downloaded this file today at 2:24PM. Apple checked it for malicious software and none was detected.

brew uninstall --cask wezterm-nightly and then install with just that flag fixes it.

If I then do another uninstall and try without the flag, the same message appears.

I've tested this in a virtualised MacOS using tart and observe the same results.

Let me know if this makes sense..

[matthewberryman]

otherwise you will receive the warning that Wezterm cannot be opened because the developer cannot be verified

This wording is wrong, the developer can be verified.

I would argue that it is best to not use --no-quarantine, which would bypass other checks including unsigned binaries.

[joshuataylor]

Agreed, let me reword it.

…

On Tue, 20 Feb 2024, 6:20 am Matthew Berryman, ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In docs/install/macos.md <#5034 (comment)>: > ``` +> 1. `--cask` needs to be set, as the cask name exists in homebrew already and will result in the following error: +> ``` +> Error: Cask wezterm-nightly exists in multiple taps: + homebrew/cask-versions/wezterm-nightly + wez/wezterm/wezterm-nightly + ``` +> 2. `--no-quarantine` is set, otherwise you will receive the warning that Wezterm cannot be opened because the developer cannot be verified. This message is from [Gatekeeper](https://support.apple.com/en-mide/102445). otherwise you will receive the warning that Wezterm cannot be opened because the developer cannot be verified This wording is wrong, the developer can be verified, it is because you don't have the Security setting to allow applications downloaded from "App Store *and* identified developers set (per screenshot), that you are seeing the warning, and the --no-quarantine flag, which also bypasses this particular GateKeeper check along with the others. I would argue, especially if you are installing brew casks, that you would want to change the setting, rather than use --no-quarantine, which would bypass other checks including unsigned binaries. Screenshot.2024-02-20.at.08.42.34.png (view on web) <https://github.com/wez/wezterm/assets/2288238/2acdcf9f-3099-4ee2-8e97-7ab799007a10> — Reply to this email directly, view it on GitHub <#5034 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABW6236ZOOLBYP7IPSQ2C3YUPF4NAVCNFSM6AAAAABDOR3WN6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTQOBZGIZTOMRSGQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[wez]

Personally, I think it is is fine to preserve the quarantine flag and the corresponding check and prompt as the default in the documentation. It is safer for users that may not know the consequences.
Power users that feel like they know better are welcome to use it, but they are doing so at their own risk.

Since I don't personally recommend disabling those checks, I don't feel good about suggesting to do it in the docs but then telling folks not to do it in the docs, because a lot of people only skim and won't see the warning about it being a potentially dangerous thing to do.