Checksum of all files in Homebrew directory


#1

Does anyone know if there is an available list of the hashes for all files in the Homebrew directory that would be included with just the install of Homebrew before installing any packages?

Ideally I’d like a list with the name of each individual file, it’s hash, and whatever data is supposed to be included. Is this anywhere posted online so any user can review it and be sure nothing has been changed, removed, or added? Even posted to this forum would be better than a download I’d think, so it can be reviewed and verified by others.

If not, why isn’t it? Am I wrong to assume that a malicious file could be added in Homebrew’s directory that could modify the behavior of brew/packages which would not be fixed or removed when running brew doctor/update or upgrade (can never remember which one is for packages)?

Is there any way to check, verify, or prevent a file from be added elsewhere that would also be able to modify the behavior of brew or packages?


#2

Does anyone know if there is an available list of the hashes for all files in the Homebrew directory that would be included with just the install of Homebrew before installing any packages?

One of the requirements of adding a package(Formula) to Homebrew is that a checksum has to be provided, and so the download would be verified.
You can see all the checksums in the definitions of each package in homebrew-core repository

Am I wrong to assume that a malicious file could be added in Homebrew’s directory that could modify the behavior of brew/packages which would not be fixed or removed when running brew doctor/update or upgrade (can never remember which one is for packages)?

Homebrew follows Github’s PR based workflow, so all the code that is added to Homebrew would be reviewed by the maintainers before being merged. Although here you’d have to trust the maintainers, who have a long record of doing this in a legit way. Apart from that, you are always free to goto the definition of specific package that you’d like to install and verify the URL and checksum