The sha256 value is usually calculated by the command:
$ shasum -a 256 <file>The special value sha256 :no_check is used to turn off SHA checking whenever checksumming is impractical due to the upstream configuration.
version :latest requires sha256 :no_check, and this pairing is common. However, sha256 :no_check does not require version :latest.
We use a checksum whenever possible.
When updating the sha256 stanza of an existing Cask, the version also has to have changed. Otherwise, the new checksum has to be confirmed. This is necessary to help rule out malicious tampering.
The confirmation of the updated sha256 should ideally be publicly available. Specifically:
-
Post a link to the developer's confirmation.
-
If the Cask is an
.appthat is codesigned (in a.dmgor.zipcontainer) it can be uploaded and verified using VirusTotal by looking at the “Details” tab.If there is no Signature Info section, VirusTotal verification is not enough.
Maintainers will confirm the VirusTotal submission is legitimate by comparing its
sha256with the one on the updated cask.Here's an example for Brave-0.18.36.dmg:
