Skip to content

Instantly share code, notes, and snippets.

@bsitruk

bsitruk/verify-brew-cask-publisher.md

Last active June 26, 2025 07:16
Show Gist options
  • Save bsitruk/a556695b67bc684ce757ba446a3ba425 to your computer and use it in GitHub Desktop.
Save bsitruk/a556695b67bc684ce757ba446a3ba425 to your computer and use it in GitHub Desktop.
Download ZIP
[Guide] Verify Brew Cask Publisher
Raw
verify-brew-cask-publisher.md

Prompt

How to verify the identity of the publisher of a brew cask ?

To verify the identity of the publisher of a Homebrew cask (macOS application distributed via Homebrew), you can follow these steps:

1. Check the Cask Source and Maintainer

Each Homebrew cask is maintained in a GitHub repository (typically Homebrew/homebrew-cask):

  • Use this command to see where the cask is defined:

    brew edit --cask <cask-name>

    OR

    brew info --github --cask <cask-name>

  • Alternatively, view it directly:

    brew cat --cask <cask-name>

    This shows the .rb file defining the cask, including:

    • url (source for download)
    • sha256 (to validate file integrity)
    • appcast, homepage, and verified domain (for identity verification)

2. Inspect the Verified Domain

The verified: stanza in the url often looks like this:

url "https://downloads.example.com/app.dmg", verified: "example.com"

This means Homebrew maintainers have verified that the app binary legitimately comes from that domain.

3. Manually Validate the Code Signature

After installing the app, you can check the code signature using:

codesign -dvv /Applications/<AppName>.app

This shows:

  • The certificate chain
  • The team identifier
  • Whether the binary is signed by Apple notarization

This is useful to verify the app really came from the expected developer.

4. Check for GitHub Audit Trail

Every cask change goes through a pull request (PR) on GitHub. You can:

  • Search the cask in the homebrew-cask repo
  • Review the history of PRs and who submitted/approved the cask

This shows whether trusted maintainers reviewed the cask and any discussions about its origin.

5. Verify Downloaded Binary Hash

Before installing, Homebrew checks the SHA-256 of the downloaded file. You can:

brew fetch --cask <cask-name>
shasum -a 256 ~/Library/Caches/Homebrew/downloads/<downloaded-file>

Compare the output with the hash in the cask file to ensure no tampering.

Summary

To verify the identity of a Homebrew cask publisher:

  • Check the verified: domain in the cask file
  • Inspect the app's code signature after install
  • Review GitHub history of the cask for legitimacy
  • Validate binary hashes manually
  • Prefer installing only well-known apps from trusted domains

Let me know if you'd like help checking a specific cask.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment