First of all: I’m one of the developers of Little Snitch, a user-friendly firewall for macOS that allows creating rules on a per-application (or per-executable) basis.
We occasionally have users who run into issues because executables installed via Homebrew do not have a code signature. This is relevant to Little Snitch because rules in Little Snitch can be configured to require an executable to have a valid code signature. If they don’t, Little Snitch will not allow connections and instead report the situation to the user.
We can improve the UI and UX on our side, but ultimately, the underlying issue is that executables without a code signature are a security risk because they can be modified or replaced without the user knowing about it. This risk is even greater if these executables are in user-writable locations.
I thought I’d run an idea by the community to see if there’s a desire to tackle this problem on Homebrew’s side. After all, validating an executable’s integrity is a benefit for every user of Hombrew, not just those who use Little Snitch.
One more disclaimer: I’m a very light user of Homebrew and have no experience whatsoever with creating my own packages. It is entirely possible that I got some of the naming wrong and I would very much appreciate any feedback on these things.
What follows is the text for a GitHub issue I’m planning on opening, but I wanted to run it by the community first. If you have any comments, I would be happy to hear them.
First of all: I’m one of the developers of Little Snitch, which will be relevant further below.
Executables and libraries installed via Homebrew from source are not code signed. This makes sense since the code code is compiled on the user’s machine. This is usually not a huge problem, but can get in the way if other software tries to verify the integrity of the installed products. Also, there is no easy way to verify if the executables installed via Homebrew were modified or replaced with something else.
I’m proposing to add an optional configuration option to Homebrew that allows users to specify a code signing identity that should be used for signing installed products. Code signing can be done by
brew in a post-install step using the
Since the signatures would only have to be accepted on the user’s machine and none other, it would be sufficient to use a self-generated signing identity. This could even be generated by Homebrew during setup and be stored in the user’s login keychain. That way, no certificate authority is needed to provide signing identities, which saves maintenance and monetary cost.
I will not explain the motivation for code signing in general here. But as previously stated, code signing would allow Homebrew itself, as well as other software to verify that executables were not modified since they were signed.
This is where my initial disclaimer comes into play. Little Snitch allows users to create rules for allowing or denying network connections on a per-executable and per-destination basis. By default, these rules require an executable to have a valid code signature (it is of course possible to completely ignore the code signature). There are cases that Little Snitch users run into that are quite complex, but that’s a UI and UX issue on our side. Nonetheless, if all executables were signed, users wouldn’t run into these issues and we’d have fewer users who are confused about this.
Therefore, my motivation on proposing this feature is more from a Little Snitch developer’s standpoint than from a Homebrew user’s.
Relevancy to Homebrew users
I personally think being able to verify that an executable installed via Homebrew was not modified in any way is highly desirable for everyone from maintainer to end-user. I realize that the way how this verification is done is debatable.
None at the time.