Warning on sha :no_check?

[elliottslaughter]

I get a little nervous whenever I am unable verify the software I download. This is mitigated somewhat by the presence of SHA sums in most cask definitions; at least I know I am getting the same versions of apps you are seeing. But many casks have no checksums at all.

I understand there are reasons for this; e.g. Calibre, with unversioned downloads and frequent updates, would break a lot if you tried to enforce checksums. Maybe there is a potential solution here somewhere, but I imagine that any solution would require significant manual effort, which is a burden I don't want to place on anyone.

What would be nice though would be if I could get a warning when I attempt to install a cask without a checksum (and over insecure http). Or maybe you could manually check signatures of apps with spctl --assess, though that might possibly be more pain than it's worth. I'm fine if these are optional and not enabled by default, but it would be nice if there were some option for folks who are security conscious.

[tapeinosyne]

Hello @elliottslaughter. Sorry for the late reply.

I am amenable to improvements in this direction. There are several “cheap” approaches which should be readily available.

The most immediate improvement, as you suggest, would be to expose more information during the installation process. I am not confident we can make liberal use of explicit warnings, but we can certainly print out a notice or emphasize the download protocol. For example:

==> Downloading http://status.calibre-ebook.com/dist/osx32
==> Unencrypted connection
######################################################################## 100.0%
==> Symlinking App 'calibre.app' to '/Users/simulacrum/Applications/calibre.app'
==> Checksum not available
🍺  calibre staged at '/opt/homebrew-cask/Caskroom/calibre/latest' (3958 files, 201M)

This would merely make it clearer that the installation is insecure network-wise. (Options for more drastic behavior could be provided once we implement a proper configuration system for Homebrew-cask.) Addressing the underlying issue would be more complicated.

As you say, manually reviewing the checksums of frequently changing packages would not be sustainable. Automating such a process would require some infrastructure, which we currently lack. (Even so, we would still be waltzing around untrusted connections.)

I would like to investigate the commands spctl and codesign. They expose security functionality that the user normally encounters at application launch time (i.e. Gatekeeper), and it would be sensible to integrate them in a general verification step during brew cask install of compatible software.

[rolandwalker]

If this is the right place to put this: there are also cryptographic signatures embedded in many appcast URLs.

[adidalal]

Fixed in #16042