Update Bartender 5.0.52 SHA

[LanikSJ]

Important: Do not tick a checkbox if you haven’t performed its action. Honesty is indispensable for a smooth review process.

In the following questions <cask> is the token of the cask you're submitting.

After making any changes to a cask, existing or new, verify:

• The submission is for a stable version or documented exception.
• brew audit --cask --online <cask> is error-free.
• brew style --fix <cask> reports no offenses.

Additionally, if adding a new cask:

• Named the cask according to the token reference.
• Checked the cask was not already refused.
• Checked the cask is submitted to the correct repo.
• brew audit --cask --new <cask> worked successfully.
• HOMEBREW_NO_INSTALL_FROM_API=1 brew install --cask <cask> worked successfully.
• brew uninstall --cask <cask> worked successfully.

---

Looks like there's a SHA mismatch when installing / reinstalling:

→ brew install bartender --force --verbose
==> Downloading https://macbartender.com/B2/updates/5-0-52/Bartender%205.zip
/usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.3.0-66-gc269524\ \(Macintosh\;\ arm64\ Mac\ OS\ X\ 14.4.1\)\ curl/8.4.0 --header Accept-Language:\ en --fail --retry 3 --remote-time --output /Users/LanikSJ/Library/Caches/Homebrew/downloads/18511ca91a16177a87fc87d0bdeee17959dbeec371282b8101f8961543813700--Bartender\ 5.zip.incomplete --location https://macbartender.com/B2/updates/5-0-52/Bartender\%205.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11.0M  100 11.0M    0     0  74.8M      0 --:--:-- --:--:-- --:--:-- 74.9M
==> Verifying checksum for '18511ca91a16177a87fc87d0bdeee17959dbeec371282b8101f8961543813700--Bartender 5.zip'
Error: SHA256 mismatch
Expected: b38281d2b744d3e057b6a1e82d80c43ddf5384fcae751b30655daceb16694e8e
  Actual: e5d54c9d31b2d7f50a22ce8e28b8010c2eba5686657d5caa0d7eada74b787b02
    File: /Users/LanikSJ/Library/Caches/Homebrew/downloads/18511ca91a16177a87fc87d0bdeee17959dbeec371282b8101f8961543813700--Bartender 5.zip
To retry an incomplete download, remove the file above.

[aaronkollasch]

Note that the checksum mismatch is because version 5.0.52 was silently updated to include an analytics framework. See this reddit comment for details.

As a PSA, this change, and the signing certificate change, are related to its transfer to new ownership.

[krehel]

@aaronkollasch - thanks for the note. I don't use the app but if you could summarize for me please - the community using this app seems unhappy by the change, but has it been identified as outwardly malicious or compromised?

[LanikSJ]

By the looks of the reddit thread the new owners of this app are questionable at best. Which really sucks 🙁 because I like this app. Here's a quote from @core-code which explains the state of things a bit better:

we've added the explanation notice you have all seen to MacUpdater due to the following situation:

• Bartender has always been developed by a guy called Ben Surtees and his company Surtees Studios and he was always reachable at bens@surteesstudios.com and their releases were always code-signed by 'Surtees Studios Limited (8DD663WDX4)'

• earlier this year, the style of the blog entries on the Bartender website changed from informational entries written by a developer to SEO-style articles probably written by ChatGPT

• then in April 22 for the 5.0.52 beta release the code signature changed from the expected (and safe) 'Surtees Studios Limited (8DD663WDX4)' to 'App Sub 1 LLC (PNSC6356BC)'

• this is concerning because 'App Sub 1 LLC' seems to be a dubious company publishing a few low quality iPad apps ( https://apps.apple.com/us/developer/app-sub-1-llc/id1667982354 ) and with an equally dubious homepage ( https://stepsforiphone.com/ ). why was their certificate used to sign Bartender releases?

• on 15. May the final release of Bartender 5.0.52 was released and again it was not signed by the known-and-safe 'Surtees Studios Limited (8DD663WDX4)' but by a 'Bartender App LLC (24J875RH8J)' never seen before

• e-mails to the official developer (Ben Surtees <bens@surteesstudios.com>) are also being returned as undeliverable and any mention of Ben's studio 'Surtees Studios' has been removed from the Bartender website

• the Bartender website and support channel refuse to give any information about what has happened, but i think it is pretty clear. Ben Surtees has sold Bartender to a dubios company called "App Sub 1 LLC" who first used their own signature to sign Bartender but because that raised too much suspicion they now founded a new company called 'Bartender App LLC' or maybe just got a certificate under that name. they refuse to give any information about the takeover and what exactly has happened

• note that we've hidden Bartender 5.0.52 from MacUpdater users for more than 2 weeks while we gave professional security investigator Patrick Wardle time to look into the issue. he has not replied on finding out anything until early june (*), thats why we are now displaying the update inside MacUpdater. we've still added the mentioned note to give a heads-up to our users that Bartender is now under new management.

(*) clarification jun 5: regarding Patrick Wardle looking into it: earlier this post incorrectly implied he has looked for malicious code and has found nothing but this is not correct. he has not yet looked at the 5.0.52 in detail.

I'm also a MacUpdater user/subscriber so I trust the above a whole lot more then the new owners.

[LanikSJ]

Ice seems like a good alternative. I've already removed Bartender as I don't trust analytics and "new owners". Doesn't give me the warm and fuzzies. Thank you @core-code the write up above was awesome. 😍

Anyway enough off topic from me. If you need any more info please let me know.

[krehel]

Let's open a discussion on this instead of keeping in a closed PR. I think the information here is enough for anyone coming across this anew, but I'd like to maintain an open dialogue on if we need to pull this in the future, pending research outcomes.

[LanikSJ]

Yes please a discussion would be great.

Doesn't seem like anything malicious in here yet, but you never know when an app magically changes hands. There are plenty of open source examples that support that logic.

[krehel]

Discussion thread: https://github.com/orgs/Homebrew/discussions/5427