Homebrew-cask: Checksums and malware

I am worried about this too. How can I check what dmg-file was downloaded when I installed Handbrake through brew cask?

Alternatively, or additionally, is there any way I can generate a installation log showing what I have installed with their checksums, date of installation, and other details?

Found out that I could check the cask by running brew cask fetch handbrake and then it would give the location of the downloaded dmg-file. Checksum does not match the compromised dmg-files, luckily.

Objective See post with some more information about this.

It would be ideal if versions were immutable once released.

If that's not possible with the PR system, how can you make it so inconvenient to change a hash without changing the version that a contributor or maintainer would not want to do it?

If you think of hash mismatches like browser warnings when you connect to an insecure site, there are (usually) ways to bypass the warnings. Browsers could remove that "Continue" option altogether and make it impossible for the user to ignore the warnings, thus actually making them effective. Can a similar thing be done with Homebrew to force changing both if changing one?

How can I check what dmg-file was downloaded when I installed Handbrake through brew cask?

brew cask cat handbrake will show you the installed Cask (or if it isn't installed, the Cask in the Tap).

How can this be prevented of happening again?

As you already pointed out, the obvious first step is to add a new policy to ensure that both the version and the checksum changed.

As @reitermarkus has pointed out, we are taking steps to minimise this happening.

Thank you all for the civility in the discussion. I could see this issue having been opened with shouting, and I’m thankful it did not. I take full responsibility for the occurrence, and apologise. Thankfully this cask uses auto_updates so it won’t even show in brew cask outdated. The number of affected people is bound to be tiny.

It was contained yesterday (as you can see by the reversal), at which point the active maintainers were contacted to discuss next steps. Unfortunately, this one cannot be fixed with technical solutions, it has to be a policy change.

This case was preventable, but it might not have been. Had the malicious authors gotten access to a main server for an app and updated the HTML to link to a fake version bump and infected that one, there’s no way we could know. That is, unless we check every version bump with every author, at which point HBC would cease to exist because the logistics of that would be untenable.

Damn the malicious author, and thank you all again for the civility. We’re all human (or are we?) and this was a mistake that we hope to not make again (saying “we” there because I’m referring to the project, but again, I take full responsibility for this one). My sincere apologies, and I hope this does not affect your trust in Homebrew-Cask. I choose to see it as analogous to the Bob Hoover story.

Thanks, @vitorgalvao. We at HandBrake very much appreciate your response.

We recently published a postmortem on the attack, for anyone interested: https://forum.handbrake.fr/viewtopic.php?f=33&t=36399