The sha256 value is usually calculated by the command:
$ shasum --algorithm 256 <file>The special value sha256 :no_check is used to turn off SHA checking whenever checksumming is impractical due to the upstream configuration.
version :latest requires sha256 :no_check, and this pairing is common. However, sha256 :no_check does not require version :latest.
We use a checksum whenever possible.
When updating the sha256 stanza of an existing Cask, the version also has to have changed. Otherwise, the new checksum has to be confirmed. This is necessary to help rule out malicious tampering.
The confirmation of the updated sha256 should ideally be publicly available. Specifically:
-
Ask the developer to publicly confirm the new checksum and provide a link to this confirmation in your pull request. As examples, confirmation can be acheived by opening an issue of the project’s GitHub, or asking on the developer’s Twitter. Note that a link to an upstream page with the checksum is never sufficient, as a malicious third-party who could modify the download could also modify checksums on the page.
-
If the Cask is an
.appthat is codesigned (in a.dmgor.zipcontainer) it can be uploaded and verified using VirusTotal by looking at the “Details” tab.If there is no Signature Info section, VirusTotal verification is not enough.
Maintainers will confirm the VirusTotal submission is legitimate by comparing its
sha256with the one on the updated cask.Here's an example for Brave-0.18.36.dmg:
