TL;DR; No.
Homebrew uses SHA-256 hash of the package to verify integrity, but not authenticity.
Example: homebrew-cask/gpg-suite.rb has the following SHA-256 hash: e0166931d58427bbd9cc0988765b4f723c554fa19e14d7697e152468c7e04f0d
OpenPGP signatures are not checked, so in the example above, users are relying on gpgtools.org to serve the correct file (hosting infrastructure is secure, admins are trustworthy, etc) and TLS certificate authority must not be compromised.
There was a very long and drawn out attempt to add gpg sig verification:
But then it was just closed before being merged...
Something called "gpg stanza" was enabled for a while, but deprecated because of this comment: Homebrew/4120#comment-406879969
I disagree with that comment.
The author seems to believe that Homebrew maintainers would have to verify real-world identities and / or that signature checking would confuse some users.
My response:
- PGP signatures should be optional for a formula (for packages that publish these)
- PGP signatures checking should be optional for users (off by default).
- Authenticity:
- The signatures check happens locally using the users's personal trust database.
- The signatures can be verified, but it is up to the user to choose the level of trust assigned to that key. Homebrew maintainers don't need to worry about that.
Unfortunately this decision to exclude signatures means one cannot have signature checking AND use homebrew (which offers nice package management!).
You can download the package yourself and check the signature, then take the SHA-256 hash and compare it to the one used in the corresponding Homebrew formula. If they are identical and you trust the signature, then you can install via brew.
You can of course also compile it yourself, but this doesn't help much if the source is not signed.
Make use of whatever you have and / or don't use packages that don't care about user security.
Sounds great, I hope it will become the norm for all projects in the future. Unfortunately very few projects offer this today. Without signatures on the builds, you also don't know if the code was tampered with / which one is correct.
Homebrew provides a broadly used and reviewed source of SHA-256 hashes. This can still provide some evidence suggesting which packages are being served by the so called "official" project domain. Users can download a package multiple times, from various IP addresses at different times and check that all of the hashes match what is in Homebrew. This at least suggests that you are not being individually targeted and increases the likelihood that the attacker would be caught while trying to fool everybody.
A Google search for a SHA-256 hash can help with the above process as well.
In many cases, this is the best option available unless you know the author personally.
As someone interested in contributing to this process for others, I publish hashes for various packages so that others can use my info to try and crowd-source some sense of package authenticity.
There is also the Apple developer signatures on most (?) apps for MacOS as well...
Sad, but this is the state of things today 2018-09-27.
Feedback / corrections are welcome and appreciated.
Jonathan Cross
WTFPL - See LICENSE for more info.