Developing formulae or casks

[bwagner]

Output of brew config

HOMEBREW_VERSION: 4.1.17
ORIGIN: https://github.com/Homebrew/brew
HEAD: 35746e0a6ba6c3c5cfe56d99f79d9ec9f52ee15f
Last commit: 3 days ago
Core tap JSON: 25 Oct 07:00 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: vi
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_MAKE_JOBS: 10
Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 15.0.0 build 1500
Git: 2.42.0 => /opt/homebrew/bin/git
Curl: 8.1.2 => /usr/bin/curl
macOS: 14.0-arm64
CLT: 15.0.0.0.1.1694021235
Xcode: 15.0.1
Rosetta 2: false

Output of brew doctor

Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: Some installed formulae are deprecated or disabled.
You should find replacements for the following formulae:
  [email protected]

Warning: Unbrewed dylibs were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae, and may need to be deleted.

Unexpected dylibs:
  /usr/local/lib/libMuseSamplerCoreLib.dylib

Warning: You have unlinked kegs in your Cellar.
Leaving kegs unlinked can lead to build-trouble and cause formulae that depend on
those kegs to fail to run properly once built. Run `brew link` on these:
  python-certifi
  python-packaging
  pygments

Description of issue

Installing/updating threema gives this warning:
Warning: No checksum defined for cask 'threema', skipping verification.

which stems from the formula's threema.rb content:
sha256 :no_check

Checking with Threema support resulted in this answer:

The .dmg is cryptographically signed, hence there is no need for a checksum (it is
implicitly part of the signing).

Still, for you convenience, we provide a sha256 checksum here:
https://releases.threema.ch/web-electron/v1/release/Threema-Latest.dmg.sha256

I first considered a feature request to have the checksum downloaded automatically, but that would be a security breach, so I'm proposing an additional possible value for the sha256 key in the formula, namely: signed_binary. Its effect would be to no longer issue the above warning.

[SMillerDev]

The .dmg is cryptographically signed, hence there is no need for a checksum (it is implicitly part of the signing).

That makes no sense, the checksum is there to ensure you get the correct file. If I point the cask to https://releases.threema.ch/web-electron/v1/release/Threema-compromised.dmg and sign that it is still a bad file.

Still, for you convenience, we provide a sha256 checksum here: https://releases.threema.ch/web-electron/v1/release/Threema-Latest.dmg.sha256

We don't dynamically download checksums so that doesn't help for brew.

The only way that brew can start using a checksum is if there is a versioned download from threema. Otherwise any update will break the cask for everyone until brew catches up with the checksum: https://docs.brew.sh/Adding-Software-to-Homebrew#examples

[bwagner]

Thank you!

[bwagner]

In the meantime, I've found a versioned alias for Threema downloads. In the threema-formula threema.rb, you could use:

url "https://releases.threema.ch/web-electron/archive/latest-#{version}/Threema-Latest.dmg"

Also, a file containing the sha256-sum can be retrieved by appending .sha256 to the above url.

A script could be written that updates the threema.rb formula (updating version and sha256 stanzas) whenever a new Threema version is released.

But how is this typically handled in homebrew?

I see specialized solutions like action-homebrew-bump-formula, but my use case seems pretty standard.

[SMillerDev]

Detecting new versions in Brew packages is done by https://docs.brew.sh/Brew-Livecheck. The action you found uses that.