It definitely affects UI applications that have been installed via brew cask. I think I also had to "unlock" a bottled command line executable, but since most programs installed via brew are compiled from source on macOS betas I have a hard time reproducing that.
Quarantining files is opt-in from the app perspective. Apps and programs (like Chrome and cask) have to explicitly support setting the quarantine bits on things they consider downloads. Apps and command-line programs create files all the time for all sorts of purposes, and without app cooperation, macOS has no idea whether each file is something potentially unsafe downloaded from the internet.
So hopefully this shifts the perspective a little. Makers of apps that download things _like_ quarantining because it distances them from the responsibility of ensuring the quality of each download, so much so that they will spend time to implement support for it. If quarantining isn't a good feature, apps like Chrome and cask wouldn't use it or would stop using it. This provides a great check and balance in the system imo.
--
Btw, there are two separate Homebrew projects that are unfortunately named -- one of them is named like a subset of the other. Here are some clarifications for people unfamiliar with this:
- `brew install` builds apps and programs from source, or downloads binaries built from source ("bottled") by machines maintained by the Homebrew project. Neither of these are quarantined, I think.
- `brew cask install` downloads and installs apps similarly to how you would install them manually, but in an automated way. (For example, it will download a dmg, mount it, copy the app to apps, and unmount the dmg.) My comment above is only about this option, and not the other one.
It doesn't need to know that. When you use a GUI app to download an app (web browser, for example), the executable is marked 'quarantine.' When you build an app yourself, it doesn't get marked 'quarantine.'
Items marked 'quarantine' get the "Are you sure?" (or "you can't" or "find another way" or whatever) dialog.
The check happens at a lower level than the Finder, I believe.
I think it checks things with the quarantine flag set on the executable or app. This is set by your browser and other similar software when downloading an app. Once cleared, the notarization check isn't done.
Brew doesn't set the quarantine flag in the first place as far as I know.
I don't know how Catalina works specifically, but if I was designing for this contingency I'd have it so that any software compiled locally by a user with sudo rights would be automatically notarized against a localhost certificate.
So you could easily install a graphical shell that doesn't check that.
heh people probably need to chill out about all this. I got a mechanical engineering student (read: "doesn't understand computers") to play open arena with me the other month dispite all of this. It's just a couple buttons you have to press.
...which makes it all the more annoying for "power users" that there's no simple switch anymore to allow all apps to run without the scare/confirmation popups (there used to be a third option in "Security & Privacy" settings next to "App Store" and "App Store and identified developers" for this).
I use quite a few applications that aren't from the App store. I've had 'App store and identified developers' as my default for ever and I've come across, possibly three? unidentified developers in the last three years. It's not a massive inconvenience and to be honest, I welcome the 'Hmmm - its not signed' pause for thought.
