Software authenticity


#1

Hi, First of all, thanks for developing Homebrew! I find it a very valuable tool ! However, I wanted to know how Homebrew ensures the authenticity of the software it distributes. I.e. how do I know the software I download using Homebrew isn’t altered in some way after being published by its developers… I already discovered that (SHA256) checksums are used to check downloaded sources (and Bottles), and I also discovered that any applied patches are posted in the ‘formula-patches’ repository. Are there additional mechanisms that I missed ? E.g. how does Homebrew ensure checksums provided in the formula’s are authentic (and identical to those released by the developers of the software)… Would be great to hear your views/approach on this!


(Sean Molenaar) #2

The checksums are provided by the people who submit the software and verified by brew itself against the downloaded software. Other than that there isn’t much homebrew can do to verify anything.


#3

Ok, that’s indeed what I would expect. I do have a random idea/feature request that might aid in (further) enhancing the authenticity check: perhaps the submitted checksums can be (automatically) verified against developer-signed checksums using GPG (or against checksums of developer-signed sourcecode) ? E.g. by creating a keyring of developers’ signing keys (stored in a repository), and using brew-bot to verify if the submitted checksums are valid… Anyhow, thanks for the reply!


(Sean Molenaar) #4

That would greatly diminish the benefit of homebrew that everyone can submit software and it would place a greater burden on maintainers to keep brew up to date (instead of having the public do it). But if you can implement it in a way that doesn’t increase the burden anywhere, pull request are always welcomed.


#5

I think anyone would still be able to submit software in the same way they do now, by submitting a PR. Then the jenkins/ghprb (optionally) checks the submitted software’s authenticity using GPG (if the formula is marked ‘signed-by-source’, or whatever). There would be some effort in gathering developers’ singing keys, but those won’t change that often (perhaps revoked keys need to be removed periodically)… I’ll give implementing it a try !