brew audit causes Transmit downloads to fail

[jabenninghoff]

Output of brew config

HOMEBREW_VERSION: 4.6.11-64-g7e498eb
ORIGIN: https://github.com/Homebrew/brew
HEAD: 7e498eb83a6944c4817aaf21105834917a62c8a7
Last commit: 14 hours ago
Branch: main
Core tap HEAD: 493e108aee0ddfad2add9dc680206d60ac7d8e44
Core tap last commit: 12 minutes ago
Core tap JSON: 18 Sep 21:34 UTC
Core cask tap HEAD: e5d11c24e28f09491ad915a7fe2778eab70c7223
Core cask tap last commit: 67 minutes ago
Core cask tap JSON: 18 Sep 21:34 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_CLEANUP_MAX_AGE_DAYS: 36500
HOMEBREW_DISPLAY: /private/tmp/com.apple.launchd.qB0b15c00j/org.xquartz:0
HOMEBREW_EDITOR: /usr/bin/vim
HOMEBREW_FORBID_PACKAGES_FROM_PATHS: set
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_MAKE_JOBS: 16
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.4.6 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.4.6/bin/ruby
CPU: 16-core 64-bit arm_brava
Clang: 17.0.0 build 1700
Git: 2.51.0 => /opt/homebrew/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 15.7-arm64
CLT: 26.0.0.0.1.1757719676
Xcode: 26.0
Rosetta 2: false

Output of brew doctor

Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: Unbrewed dylibs were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae and may need to be deleted.

Unexpected dylibs:
  /usr/local/lib/libtcl8.6.dylib
  /usr/local/lib/libtk8.6.dylib

Warning: Unbrewed header files were found in /usr/local/include.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae and may need to be deleted.

Unexpected header files:
  /usr/local/include/fakemysql.h
  /usr/local/include/fakepq.h
  /usr/local/include/fakesql.h
  /usr/local/include/itcl.h
  /usr/local/include/itcl2TclOO.h
  /usr/local/include/itclDecls.h
  /usr/local/include/itclInt.h
  /usr/local/include/itclIntDecls.h
  /usr/local/include/itclMigrate2TclCore.h
  /usr/local/include/itclTclIntStubsFcn.h
  /usr/local/include/mysqlStubs.h
  /usr/local/include/odbcStubs.h
  /usr/local/include/pqStubs.h
  /usr/local/include/tcl.h
  /usr/local/include/tclDecls.h
  /usr/local/include/tclOO.h
  /usr/local/include/tclOODecls.h
  /usr/local/include/tclPlatDecls.h
  /usr/local/include/tclThread.h
  /usr/local/include/tclTomMath.h
  /usr/local/include/tclTomMathDecls.h
  /usr/local/include/tdbc.h
  /usr/local/include/tdbcDecls.h
  /usr/local/include/tdbcInt.h
  /usr/local/include/tk.h
  /usr/local/include/tkDecls.h
  /usr/local/include/tkPlatDecls.h

Warning: Unbrewed '.pc' files were found in /usr/local/lib/pkgconfig.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae and may need to be deleted.

Unexpected '.pc' files:
  /usr/local/lib/pkgconfig/tcl.pc
  /usr/local/lib/pkgconfig/tk.pc

Warning: Unbrewed static libraries were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae and may need to be deleted.

Unexpected static libraries:
  /usr/local/lib/libtclstub8.6.a
  /usr/local/lib/libtkstub8.6.a

Description of issue

Transmit seems to have implemented some kind of rate limiting or dynamic blocking that is triggered by brew audit, which is causing the autobump action to fail for this cask. I'm not sure what the right course of action is here, would it be appropriate to add the no_autobump flag?

Note: I was able to replicate this behavior locally by running the following commands. The download times out for a while, and then starts working again (connections to download-cdn.panic.com work from a different IP).

% brew livecheck transmit --autobump
transmit: 5.10.9 ==> 5.11.0
% brew audit --cask --strict --online transmit --debug
==> Auditing Cask transmit on os sequoia and arch arm
==> Checking quarantine support
==> Quarantine is available.
==> Auditing signing
==> Downloading and extracting artifacts
==> Downloading https://download-cdn.panic.com/transmit/Transmit%205.10.9.zip
########################################################################################################################### 100.0%
==> Verifying Gatekeeper status of /Users/agamemnon/Library/Caches/Homebrew/downloads/1ce59f0b35b0b2b977dd92f3f2ed32dc19201503b4eca0c32e3d5ec457f82680--Transmit 5.10.9.zip
==> /Users/agamemnon/Library/Caches/Homebrew/downloads/1ce59f0b35b0b2b977dd92f3f2ed32dc19201503b4eca0c32e3d5ec457f82680--Transmit 5.10.9.zip is not quarantined
==> Quarantining /Users/agamemnon/Library/Caches/Homebrew/downloads/1ce59f0b35b0b2b977dd92f3f2ed32dc19201503b4eca0c32e3d5ec457f82680--Transmit 5.10.9.zip
==> in unpack_strategy, zip, extract_to_dir, verbose: false
==> Verifying Gatekeeper status of /private/tmp/cask-audit20250918-71500-2slxw5/Transmit.app
==> /private/tmp/cask-audit20250918-71500-2slxw5/Transmit.app is quarantined
==> Auditing Rosetta 2 requirement
==> Architectures: x86_64 arm64

==> Auditing minimum macOS version
==> Detected minimum macOS: ventura (from artifact: ventura)
==> Declared minimum macOS: ventura (from depends_on stanza: ventura)
==> Auditing GitHub prerelease
==> Downloading https://download-cdn.panic.com/transmit/Transmit%205.10.9.zip
Already downloaded: /Users/agamemnon/Library/Caches/Homebrew/downloads/1ce59f0b35b0b2b977dd92f3f2ed32dc19201503b4eca0c32e3d5ec457f82680--Transmit 5.10.9.zip
==> Verifying Gatekeeper status of /Users/agamemnon/Library/Caches/Homebrew/downloads/1ce59f0b35b0b2b977dd92f3f2ed32dc19201503b4eca0c32e3d5ec457f82680--Transmit 5.10.9.zip
==> /Users/agamemnon/Library/Caches/Homebrew/downloads/1ce59f0b35b0b2b977dd92f3f2ed32dc19201503b4eca0c32e3d5ec457f82680--Transmit 5.10.9.zip is quarantined
==> Auditing Forgejo prerelease
==> Auditing pkg stanza: allow_untrusted
==> Auditing stanzas which require an uninstall
==> Auditing preflight and postflight stanzas
==> Auditing single uninstall_* and zap stanzas
==> Auditing required stanzas
==> Auditing version :latest does not appear as a string ('latest')
==> Auditing sha256 :no_check with version :latest
==> Auditing sha256 string is a legal SHA-256 digest
==> Auditing sha256 is not a known invalid value
Warning: Removed Sorbet lines from backtrace!
Rerun with `--verbose` to see the original backtrace
==> curl: (28) Failed to connect to download-cdn.panic.com port 443 after 10006 ms: Timeout was reached
/opt/homebrew/Library/Homebrew/utils/curl.rb:186:in 'Utils::Curl#curl_with_workarounds'
/opt/homebrew/Library/Homebrew/utils/curl.rb:269:in 'Utils::Curl#curl_output'
/opt/homebrew/Library/Homebrew/utils/curl.rb:293:in 'block in Utils::Curl#curl_headers'
/opt/homebrew/Library/Homebrew/utils/curl.rb:292:in 'Array#each'
/opt/homebrew/Library/Homebrew/utils/curl.rb:292:in 'Utils::Curl#curl_headers'
/opt/homebrew/Library/Homebrew/livecheck/strategy.rb:218:in 'block in Homebrew::Livecheck::Strategy.page_headers'
/opt/homebrew/Library/Homebrew/livecheck/strategy.rb:216:in 'Array#each'
/opt/homebrew/Library/Homebrew/livecheck/strategy.rb:216:in 'Homebrew::Livecheck::Strategy.page_headers'
/opt/homebrew/Library/Homebrew/livecheck/strategy/header_match.rb:87:in 'Homebrew::Livecheck::Strategy::HeaderMatch.find_versions'
/opt/homebrew/Library/Homebrew/livecheck/livecheck.rb:732:in 'block in Homebrew::Livecheck.latest_version'
/opt/homebrew/Library/Homebrew/livecheck/livecheck.rb:662:in 'Array#each'
/opt/homebrew/Library/Homebrew/livecheck/livecheck.rb:662:in 'Enumerable#each_with_index'
/opt/homebrew/Library/Homebrew/livecheck/livecheck.rb:662:in 'Homebrew::Livecheck.latest_version'
/opt/homebrew/Library/Homebrew/cask/audit.rb:756:in 'Cask::Audit#audit_livecheck_version'
/opt/homebrew/Library/Homebrew/cask/audit.rb:327:in 'Cask::Audit#audit_hosting_with_livecheck'
/opt/homebrew/Library/Homebrew/cask/audit.rb:94:in 'block in Cask::Audit#run!'
/opt/homebrew/Library/Homebrew/cask/audit.rb:89:in 'Array#each'
/opt/homebrew/Library/Homebrew/cask/audit.rb:89:in 'Cask::Audit#run!'
/opt/homebrew/Library/Homebrew/cask/auditor.rb:140:in 'Cask::Auditor#audit_cask_instance'
/opt/homebrew/Library/Homebrew/cask/auditor.rb:97:in 'Cask::Auditor#audit'
/opt/homebrew/Library/Homebrew/cask/auditor.rb:29:in 'Cask::Auditor.audit'
/opt/homebrew/Library/Homebrew/dev-cmd/audit.rb:254:in 'block (3 levels) in Homebrew::DevCmd::Audit#run'
/opt/homebrew/Library/Homebrew/simulate_system.rb:39:in 'Homebrew::SimulateSystem.with'
/opt/homebrew/Library/Homebrew/dev-cmd/audit.rb:251:in 'block (2 levels) in Homebrew::DevCmd::Audit#run'
/opt/homebrew/Library/Homebrew/dev-cmd/audit.rb:248:in 'Array#each'
/opt/homebrew/Library/Homebrew/dev-cmd/audit.rb:248:in 'Enumerable#flat_map'
/opt/homebrew/Library/Homebrew/dev-cmd/audit.rb:248:in 'block in Homebrew::DevCmd::Audit#run'
/opt/homebrew/Library/Homebrew/dev-cmd/audit.rb:245:in 'Array#each'
/opt/homebrew/Library/Homebrew/dev-cmd/audit.rb:245:in 'Enumerable#each_with_object'
/opt/homebrew/Library/Homebrew/dev-cmd/audit.rb:245:in 'Homebrew::DevCmd::Audit#run'
/opt/homebrew/Library/Homebrew/brew.rb:101:in '<main>'
audit for transmit: failed
 - The binary URL https://download-cdn.panic.com/transmit/Transmit%205.10.9.zip is not reachable
 - The livecheck URL https://download.panic.com/transmit/Transmit-5-Latest.zip is not reachable (HTTP status code 302)
 - exception while auditing transmit: curl: (28) Failed to connect to download-cdn.panic.com port 443 after 10006 ms: Timeout was reached
transmit
  * line 5, col 2: The binary URL https://download-cdn.panic.com/transmit/Transmit%205.10.9.zip is not reachable
  * The livecheck URL https://download.panic.com/transmit/Transmit-5-Latest.zip is not reachable (HTTP status code 302)
  * exception while auditing transmit: curl: (28) Failed to connect to download-cdn.panic.com port 443 after 10006 ms: Timeout was reached
Error: 3 problems in 1 cask detected.
% brew livecheck transmit --autobump                  
Error: transmit: curl: (28) Failed to connect to download-cdn.panic.com port 443 after 10005 ms: Timeout was reached

Relevant casks

transmit

[bevanjkay]

This is an issue even from the browser, I have had consistent timeouts when trying to download the application, even from browser. If it remains consistent we may have to disable the cask.

[gromgit]

Both URLs work for me from the browser, so maybe it's a temporary issue. @jabenninghoff , try your brew audit again.

[bevanjkay]

After downloading the file again, I can't even visit the upstream archive from https://download-cdn.panic.com/transmit/ - it just times out.

[gromgit]

Huh, you're right, their CDN seems to be on the fritz.

[jabenninghoff]

Update: Panic is aware of the issue and working on fixing it. I've sent them details, including links to this discussion item, and the Transmit PR (Homebrew/homebrew-cask#228737). Hopefully they can figure it out soon!

[Michael-Panic]

Hey all,

I'm a developer who works on Transmit, and I'd like to apologize for the problems, explain what caused them, and start a discussion on how we can prevent issues download issues with homebrew in the future.

We host our own servers at a data center here in Portland, and in the past, we've had issues where the data center's ISP, Cogent, has had peering issues or with consumer ISPs all over the world.

So we switched to a hybrid model where we host the downloads on our own servers but also have CDNs in many regions worldwide. Hosting on the CDNs is much more expensive than hosting in our data center, but we have pricing such that we pay a flat rate for a certain amount of bandwidth each month. However, if we exceed that limit, it gets expensive quickly. This has rarely been an issue in the past, but spoiler alert, that changed recently.

A few months ago, a pirated version of Transmit started making the rounds that contained a modified version of Sparkle that re-downloads Transmit from our CDN over and over again. This isn't an intentional DDoS attack. Instead, it was an attempt to prevent Sparkle from updating the app to a non-pirated version.

Outside of the Mac App Store, hacked versions of Sparkle are the most common way to pirate Mac apps. Because Sparkle is open source and nearly every application links it, Sparkle is an easy target for those who want to crack Mac apps. Make one modified version of Sparkle, and you can inject code into every app. System Integrity Protection prevents apps hacked this way from running properly, but disabling SIP has become commonplace among those who run pirated apps.

Most of the time, these versions of Sparkle completely disable update checking so that the app won't update to a non-cracked version, but this one was instead modified to prevent the download from succeeding, causing Sparkle to repeatedly re-download the zip file from the CDN. This caused our bandwidth to explode to over 1 TB a day per region. Since the Transmit download is only 38 MB, that's over 25k downloads per region per day.

Facing huge bills from our CDN provider, we limited requests to 1 an hour, under the assumption that no normal user would need to download the zip file more than once an hour. You can see the effect it had on our bandwidth in the chart below. The traffic we're seeing is still higher than normal, because the pirated versions of the software still get to download one copy an hour, but it's remained below our flat-rate caps.

We quickly learned that this broke installs from homebrew users when they started sending us support mails. Looking at the homebrew source code, I saw that homebrew first sends a HEAD request before sending a GET request. Fair enough. We relaxed the rate limiting to allow for a few requests per hour, knowing that it would increase the bandwidth used by the cracked versions, but we watched it to make sure we were still staying under our caps. We thought things were working well until @jabenninghoff emailed us.

Today, we spent some time looking deeply at the traffic patterns of the cracked versions of Transmit and deployed an advanced rule that we believe will completely block the cracked versions while leaving everyone else alone.

The danger of this approach is that if the patterns from the cracked versions change, we could find ourselves with another high CDN bill. These bills are a large financial risk to our company, so if this happens, we may need to slam on rate limiting again, which could cause problems for homebrew users again. We'd like to avoid that if at all possible.

To that end, @jabenninghoff informed us that this job runs every three hours and downloads the app multiple times. If that's true, is there any way I could convince you to change that behavior, or at least ask why homebrew needs to do this? We could allowlist the specific IPs running these jobs if it's absolutely necessary, but that could break if the IPs change, and I'm kind of curious as to why you'd need to download the app multiple times.

Outside of homebrew, our users either download the app once from our site and update it from Sparkle, both of which only send one request our CDN. Although users sharing an IP address through NAT could also be affected by limits, we believe that it's unlikely that non-homebrew users would be seriously affected if we limited it to 6 requests an hour from our CDN. Again, we're no longer doing this, but might have to reinstate these limits if the cracked versions of Transmit start evading our block rules.

If this job is checking for updates, rather than downloading the entire app, I could provide you with a URL to Sparkle feed to check instead. That would use less bandwidth on our end, and I'm sure it would be faster for your job than re-downloading the file every time.

And somewhat related, is there a way to configure the Transmit cask to skip the HEAD request and just issue a GET request to download the app? The HEAD request isn't really an issue bandwidth-wise, but makes it more difficult to enforce the rate limits without causing issues for users.

Thank you for your consideration, and for reading this very lengthy explanation. I hope we can come up with a solution that works better for homebrew and for us.

[jabenninghoff]

Hello @Michael-Panic and thanks for your detailed response! I think the Homebrew team can offer a more complete answer, but they are shifting to using Sparkle to check for updates, see: Homebrew/homebrew-cask#228737, and the app should only be downloaded when there is a new version; but when that does happen it does seem to be downloaded more than once (perhaps just twice?), I'm just not sure of the details.

[bevanjkay]

Thanks for the detailed reply @Michael-Panic - regarding the multiple downloads, every 3 hours we check for a new version, which we have done by checking the response headers from https://download.panic.com/transmit/Transmit-5-Latest.zip. Note that the file itself is not downloaded, we only request the headers through curl.

When a new version is found, we download the file in a CI workflow to test that it works as intended, and to calculate a checksum. This can happen more than once, as we test on both intel and Apple Silicon architectures. The download itself is only fetched once, but we do make some subsequent requests that only check for the presence of https. I believe it is these additional requests that are blocked.

Here's an overview of what happens;

• Every 3 hours, headers are requested from https://download.panic.com/transmit/Transmit-5-Latest.zip to check for new versions
• If a new version is found a PR is opened.
• The CI workflow on the PR downloads the file once per architecture.
• We test the download url and the homepage to ensure that they receive a 200 response, and that https is present. (We don't redownload the file).
• We retest the "livecheck" url (https://download.panic.com/transmit/Transmit-5-Latest.zip) to check that it is indeed the correct latest version (in this case again only checking the headers).

I believe that after the initial download, things are failing because the additional checks are blocked.
I do not believe that any of this should result in a significant impact on your CDN from Homebrew specifically, but understand that the rules you have in place are related to a separate issue.

I think we do set a specific user-agent for Homebrew curl requests, so it may be possible to allow access without impacting the increased traffic from the pirated versions?

[Michael-Panic]

Allowlisting a specific user agent should solve the issue nicely. I doubt that the pirated versions would switch to your user agent.

Do you happen to know what the user agent is?

It's reassuring that the app is only downloaded if there's a new version. I'm not sure I completely understand why it would need to be downloaded on both architectures instead of downloading it once and just checking which slices the binary has, nor do I understand the HTTPS check since all our URLs are HTTPS, but I don't think it should really be causing significant bandwidth issues.

[bevanjkay]

The user agent has some variation as it includes the current Homebrew version and the curl version.
But it should always include "Homebrew" - here's an example,
--user-agent Homebrew/4.6.11-74-gf175ca5 (Macintosh; arm64 Mac OS X 26.0) curl/8.7.1

[p-linnane]

It's reassuring that the app is only downloaded if there's a new version. I'm not sure I completely understand why it would need to be downloaded on both architectures instead of downloading it once and just checking which slices the binary has, nor do I understand the HTTPS check since all our URLs are HTTPS, but I don't think it should really be causing significant bandwidth issues.

We test on an Intel machine, and an Apple Silicon machine. So each of those VMs pulls down the file to install it and perform checks.