You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The homebrew-downloaded binary browserpass-3.0.6.mojave.bottle.tar.gz does not match the signature in browserpass-darwin64-3.0.6.tar.gz.asc. This is because the bottle is a homebrew-created binary which uses the upstream browserpass-darwin64-3.0.6.tar.gz.
Due to the security-focused nature of browserpass, the question of gpg verification of the source has been raised.
There is actually an old issue for the brew tool that proposed gpg key verification in formulae. Unfortunately the prevailing opinion from maintainers was that sha256 verification was "enough" for verification of upstream tarballs rather than the overhead of dealing with keys and proper signature verification.
I am not sure if there's currently a way to gpg verify the source tarball inside a homebrew formula, but I can look into it.
tl;dr: End-User verification
In the meantime, there is an option the end-user has for verification of upstream binaries themselves:
# ONLY download the build sources defined in the browserpass formula# this will download browserpass-darwin64.tar.gz and a testfile (used in the brew test block)
$ brew fetch --build-from-source browserpass
==> Downloading https://github.com/browserpass/browserpass-native/releases/download/3.0.6/browserpass-darwin64-3.0.6.tar.gz
Already downloaded: /Users/amar/Library/Caches/Homebrew/downloads/7235f172d5fde8cdfb6bc9d73c9d51edecf76ff6413a6d239fac5bd918bda3f3--browserpass-darwin64-3.0.6.tar.gz
SHA256: 422bc6dd1270a877af6ac7801a75b4c4b57171d675c071470f31bc24196701e3
# then you can verify this source yourself (note that the path for the .asc and the tarball will change in future releases):
$ gpg --verify browserpass-darwin64-3.0.6.tar.gz.asc ~/Library/Caches/Homebrew/downloads/7235f172d5fde8cdfb6bc9d73c9d51edecf76ff6413a6d239fac5bd918bda3f3--browserpass-darwin64-3.0.6.tar.gz
After this, you can view the homebrew formula file with
$ brew cat browserpass
so you can verify I'm not applying any strange patches to the source tarball, simply installing it.
You then can run:
$ brew install browserpass
Note
While brew install supports a --build-from-source flag, this flag doesn't actually build browserpass from source since the upstream provides a prebuilt binary. I can change the formula to actually build browserpass-native from source if there's significant want for it.
The text was updated successfully, but these errors were encountered:
would it be possible to download the signature via curl and execute gpg --verify directly from within the formula, as a first "build step", or the formula will not have read access to the archive file in the cache directory?
It could be possible?
There's a good bit of abstraction going on in the Formula method, and builds happen in a sandbox under /private/tmp without access to most of the rest of the filesystem.
Maybe a workaround is to download it as a resource, stage it a temporary path, and then gpg --verify it?
I've only built simple homebrew formulae at this point, so I'm unfamiliar with some of the more intricate functions I may have access to. I'll check it out when I can though (also open to suggestions if anyone is more familiar than I).
browserpass-native
repoThe homebrew-downloaded binary
browserpass-3.0.6.mojave.bottle.tar.gz
does not match the signature inbrowserpass-darwin64-3.0.6.tar.gz.asc
. This is because thebottle
is a homebrew-created binary which uses the upstreambrowserpass-darwin64-3.0.6.tar.gz
.Due to the security-focused nature of
browserpass
, the question of gpg verification of the source has been raised.There is actually an old issue for the
brew
tool that proposed gpg key verification in formulae. Unfortunately the prevailing opinion from maintainers was that sha256 verification was "enough" for verification of upstream tarballs rather than the overhead of dealing with keys and proper signature verification.I am not sure if there's currently a way to gpg verify the source tarball inside a homebrew formula, but I can look into it.
tl;dr: End-User verification
In the meantime, there is an option the end-user has for verification of upstream binaries themselves:
After this, you can view the homebrew formula file with
so you can verify I'm not applying any strange patches to the source tarball, simply installing it.
You then can run:
Note
While
brew install
supports a--build-from-source
flag, this flag doesn't actually buildbrowserpass
from source since the upstream provides a prebuilt binary. I can change the formula to actually build browserpass-native from source if there's significant want for it.The text was updated successfully, but these errors were encountered: