GPG Verification for browserpass

[Amar1729]

• original issue from the browserpass-native repo

The homebrew-downloaded binary browserpass-3.0.6.mojave.bottle.tar.gz does not match the signature in browserpass-darwin64-3.0.6.tar.gz.asc. This is because the bottle is a homebrew-created binary which uses the upstream browserpass-darwin64-3.0.6.tar.gz.

Due to the security-focused nature of browserpass, the question of gpg verification of the source has been raised.

There is actually an old issue for the brew tool that proposed gpg key verification in formulae. Unfortunately the prevailing opinion from maintainers was that sha256 verification was "enough" for verification of upstream tarballs rather than the overhead of dealing with keys and proper signature verification.

I am not sure if there's currently a way to gpg verify the source tarball inside a homebrew formula, but I can look into it.

tl;dr: End-User verification

In the meantime, there is an option the end-user has for verification of upstream binaries themselves:

# ONLY download the build sources defined in the browserpass formula
# this will download browserpass-darwin64.tar.gz and a testfile (used in the brew test block)
$ brew fetch --build-from-source browserpass

==> Downloading https://github.com/browserpass/browserpass-native/releases/download/3.0.6/browserpass-darwin64-3.0.6.tar.gz
Already downloaded: /Users/amar/Library/Caches/Homebrew/downloads/7235f172d5fde8cdfb6bc9d73c9d51edecf76ff6413a6d239fac5bd918bda3f3--browserpass-darwin64-3.0.6.tar.gz
SHA256: 422bc6dd1270a877af6ac7801a75b4c4b57171d675c071470f31bc24196701e3

# then you can verify this source yourself (note that the path for the .asc and the tarball will change in future releases):
$ gpg --verify browserpass-darwin64-3.0.6.tar.gz.asc ~/Library/Caches/Homebrew/downloads/7235f172d5fde8cdfb6bc9d73c9d51edecf76ff6413a6d239fac5bd918bda3f3--browserpass-darwin64-3.0.6.tar.gz

After this, you can view the homebrew formula file with

$ brew cat browserpass

so you can verify I'm not applying any strange patches to the source tarball, simply installing it.

You then can run:

$ brew install browserpass

Note

While brew install supports a --build-from-source flag, this flag doesn't actually build browserpass from source since the upstream provides a prebuilt binary. I can change the formula to actually build browserpass-native from source if there's significant want for it.

[maximbaz]

would it be possible to download the signature via curl and execute gpg --verify directly from within the formula, as a first "build step", or the formula will not have read access to the archive file in the cache directory?

[Amar1729]

It could be possible?
There's a good bit of abstraction going on in the Formula method, and builds happen in a sandbox under /private/tmp without access to most of the rest of the filesystem.
Maybe a workaround is to download it as a resource, stage it a temporary path, and then gpg --verify it?
I've only built simple homebrew formulae at this point, so I'm unfamiliar with some of the more intricate functions I may have access to. I'll check it out when I can though (also open to suggestions if anyone is more familiar than I).