iterm2-nightly download happens over HTTP even though the link is HTTPS, no checksum

[gtklocker]

See the relevant issue on the iterm2 tracker: https://gitlab.com/gnachman/iterm2/issues/6495

On our side we could try tagging nightlies (https://www.iterm2.com/downloads/nightly/#/section/home), making sure the download link is HTTPS and hashing them as usual. Also use the linked page as appcast.

[vitorgalvao]

The HTTPS case should be fixed, yes.

As for tagging nightlies, we don’t have the resources to update every nightly every day. Even if we had an automated system that did it, it’d need to be run every day multiple times a day to be sure it caught them all.

Users that don’t want to take the risk of installing casks without a checksum can use the --require-sha flag.

However, all that said, technically there is a way. If your build system tags nightlies and auto-submits a PR to us, it could be done. This is easier that it looks. By using cask-repair, all your build system would need to do is run cask-repair --cask-version {{nightly_version_here}} iterm2-nightly. That command takes care of everything, including submitting the PR directly to us.

There’s still the fact there’d need to be human intervention to actually merge the PR, but we’re usually pretty fast about it. We could try and see if it works.

[gtklocker]

This all sounds very good, and I had no idea about the --require-sha flag, thanks!

Seeing as I'm not an iTerm2 maintainer, you may want to suggest this at the issue I linked previously.

However, let's open another issue on the main cask repo to prevent insecure HTTPS -> HTTP redirects on download urls? This looks to be a much bigger issue, probably not constrained to this cask only.

[vitorgalvao]

Seeing as I'm not an iTerm2 maintainer, you may want to suggest this at the issue I linked previously.

I don’t have a gitlab account.

let's open another issue on the main cask repo to prevent insecure HTTPS -> HTTP redirects on download urls?

Homebrew/homebrew-cask#25403.

[gtklocker]

I guess @gnachman is active on Github as well, let us know how you feel about what @vitorgalvao proposed 😄

[gnachman]

By using cask-repair, all your build system would need to do is run cask-repair --cask-version {{nightly_version_here}} iterm2-nightly.

Would this be a proper command line?

cask-repair --cask-version 3.2.20180214-nightly iterm2-nightly

I don’t have a gitlab account.

FYI Gitlab lets you login with Github as your Oauth provider.

[vitorgalvao]

Would this be a proper command line?

This would make more sense

cask-repair --cask-version 3.2.20180214 iterm2-nightly

but it depends on the download URL. Let’s say a typical nightly download is https://iterm2.com/downloads/nightly/iTerm2-3.2.20180214-nightly.zip and it always follows the same pattern. Then in the cask it would read https://iterm2.com/downloads/nightly/iTerm2-#{version}-nightly.zip. So we’re interpolating the value of version.

The only thing that matters is that the download URL follows a predictable pattern where only a specific portion changes every time, and we’ll use that portion as the version.

[gnachman]

Commits 018a3faf and b00e8cc8 update the nightly build script to invoke cask-repair as requested.