sha256 checksum is not enforced

[eblot]

brew doctor output

Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: Some installed kegs have no formulae!
This means they were either deleted or installed manually.
You should find replacements for the following formulae:
  python-mako
  urjtag
  python-markupsafe

Warning: You have unlinked kegs in your Cellar.
Leaving kegs unlinked can lead to build-trouble and cause formulae that depend on
those kegs to fail to run properly once built. Run `brew link` on these:
  pygments
  python-mako
  arm-none-eabi-gdb
  wireshark
  python-markupsafe

Warning: Homebrew's "sbin" was not found in your PATH but you have installed
formulae that put executables in /opt/homebrew/sbin.
Consider setting your PATH for example like so:
  echo 'export PATH="/opt/homebrew/sbin:$PATH"' >> ~/.zshrc

Verification

• My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update twice and am still able to reproduce my issue.
• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

HOMEBREW_VERSION: 4.3.21
ORIGIN: https://github.com/Homebrew/brew
HEAD: c5d09b411776547bdbc8e0435deaf690ca632413
Last commit: 4 days ago
Core tap JSON: 16 Sep 09:11 UTC
Core cask tap JSON: 16 Sep 09:11 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_DISPLAY: /private/tmp/com.apple.launchd.lRW9S305cx/org.xquartz:0
HOMEBREW_MAKE_JOBS: 10
HOMEBREW_NO_INSTALL_CLEANUP: set
Homebrew Ruby: 3.3.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4_1/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 15.0.0 build 1500
Git: 2.46.1 => /opt/homebrew/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 14.6.1-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: 15.4
Rosetta 2: false

What were you trying to do (and why)?

Update a custom formula

What happened (include all command output)?

The archive content has been upgraded (new version) but I left the previous sha256 hash.

brew has successfully installed the new version from the source, without verifying the sha256 hash nor complaining it was missing.

What did you expect to happen?

Installation should have been aborted as sha256 no longer match the hash of the downloaded tarball

Step-by-step reproduction instructions (by running brew commands)

brew upgrade <formula>
# or
brew remove <formula>; brew install <formula>
# formula being part of a custom tap, not a core one (did not try with a core formula).

See https://github.com/orgs/Homebrew/discussions/5608

[carlocab]

Thanks for reporting, @eblot!

Note: this can be reproduced when building a formula in Homebrew/core from source.

[carlocab]

I've bisected this to

fb0bf3b7a228e7b7d74ed5066c37974de015bc4c is the first bad commit
commit fb0bf3b7a228e7b7d74ed5066c37974de015bc4c (HEAD)
Author: Markus Reiter <me@reitermark.us>
Date:   Wed Sep 4 23:12:58 2024 +0200

    Fix wrong `stage` method being called.

 Library/Homebrew/download_strategy.rb | 11 +++++++++++
 Library/Homebrew/formula_installer.rb |  6 +++---
 Library/Homebrew/resource.rb          | 21 +--------------------
 Library/Homebrew/software_spec.rb     |  6 ++----
 4 files changed, 17 insertions(+), 27 deletions(-)

CC @reitermarkus