The sha256 value is usually calculated by the command:
$ shasum -a 256 <file>The special value sha256 :no_check is used to turn off SHA checking whenever checksumming is impractical due to the upstream configuration.
version :latest requires sha256 :no_check, and this pairing is common. However, sha256 :no_check does not require version :latest.
We use a checksum whenever possible.
When updating the sha256 stanza of an existing Cask, the version also has to have changed. Otherwise, the new checksum has to be confirmed. This is necessary to help rule out malicious tampering.
The confirmation of the updated sha256 should ideally be publicly available. Specifically:
- By the developer:
- If confirmed on Twitter, @mention @homebrewcask.
- If confirmed on GitHub, @mention one of the Homebrew-Cask maintainers.
- Otherwise, post a link to the developer's confirmation.
- By codesign:
-
If the Cask is an
.appthat is codesigned (in a.dmgor.zipcontainer) it can be uploaded and verified using VirusTotal by looking at the “File Details” tab.Here's an example for Brave-0.18.14.dmg:
-
Maintainers will confirm the VirusTotal submission is legitimate by comparing its sha256 with the one on the updated cask.