homebrew-cask/doc/cask_language_reference/stanzas/sha256.md

sha256

Calculating the SHA256

The sha256 value is usually calculated by the command:

$ shasum -a 256 <file>

Special Value :no_check

The special value sha256 :no_check is used to turn off SHA checking whenever checksumming is impractical due to the upstream configuration.

version :latest requires sha256 :no_check, and this pairing is common. However, sha256 :no_check does not require version :latest.

We use a checksum whenever possible.

Updating the SHA256

When updating the sha256 stanza of an existing Cask, the version also has to have changed. Otherwise, the new checksum has to be confirmed. This is necessary to help rule out malicious tampering.

The confirmation of the updated sha256 should ideally be publicly available. Specifically:

• Post a link to the developer's confirmation.

• If the Cask is an .app that is codesigned (in a .dmg or .zip container) it can be uploaded and verified using VirusTotal by looking at the “Details” tab.

  If there is no Signature Info section, VirusTotal verification is not enough.

  Maintainers will confirm the VirusTotal submission is legitimate by comparing its sha256 with the one on the updated cask.

  Here's an example for Brave-0.18.36.dmg: