user experience when installing casks should provide security information and controls

[lanterndev]

I just installed the virtualbox cask and this was my ux:

_pants@qux ~> brew cask install virtualbox
==> Downloading http://download.virtualbox.org/virtualbox/4.3.2/VirtualBox-4.3.2-90405-OSX.dmg
######################################################################## 100.0%
==> Running installer for virtualbox; your password may be necessary.
Password:
==> installer: Package name is Oracle VM VirtualBox
==> installer: Upgrading at base path /
==> installer: The upgrade was successful.
==> Success! virtualbox installed to /opt/homebrew-cask/Caskroom/virtualbox/4.3.2-90405

1. I'm shown that the installer is being downloaded over http rather than https, making it possible for the connection to be man-in-the-middled
2. After the download is complete, I'm not shown whether the file is checked against a secure checksum (i.e. not md5) obtained over an authenticated connection. Inside knowledge of how cask works is required to find https://github.com/phinze/homebrew-cask/blob/master/Casks/virtualbox.rb, see that it has a sha1 defined, and assume that cask is using it.
3. I'm prompted for my administrator password
4. OS X shows a scary warning that a kernel extension is being installed from an unidentified developer. If the download was indeed not tampered with, this is on Oracle to fix. But I was not shown any evidence the download wasn't tampered with.

It would be a huge ux improvement if cask actually showed if and when it's verifying the integrity and authenticity of files downloaded over http, and if verification is not possible, warned the user and prompted her before continuing. As of three months ago, 35% of casks had no checksum, which IMO is too high a percentage to let users install without giving them a fighting chance of even being aware that they were not verified.

If and when #164 is implemented, gpg signature verification (instead of or in addition to checksum verification) could be shown during installation for casks that provide signatures (e.g. tor-browser). (Props to @ioerror on opening that issue. Nice docs on verifying signatures published at https://www.torproject.org/docs/verifying-signatures.html.en).

[vitorgalvao]

Regarding http vs https, we try to always use the official links from the source, so there isn’t much we can do there, we’re working with the links we have available.

Your second point is debatable. Homebrew-cask will warn you if the check fails, just not if it passes — I believe that makes for a better experience — warn when something is wrong, don’t spit the same information all the time (your brain will eventually start to ignore it). Arguably, the users who care about these things are the ones who are savvy enough to find them out, the rest just want the system to work.

Yes, you are prompted for your password, you are also warned beforehand that’ll happen. It is a necessity for the package to be installed, you’d also need to do it if you were downloading and installing it yourself, manually. I’m not really seeing your point, here, what would you suggest in this case?

Yes, that last point is on Oracle. That can obviously be fixed, just not with programming on our side, they have to make the decision to do it.

Casks without a checksum don’t have one for a reason (they point to apps with always up-to date urls and would constantly break when the app updates on the server), but it is a very valid concern, please add your ideas/opinion on this to this issue, where we’re discussing exactly this (the more input, the better).

As stated above, I do not think always showing when the verification is happening would necessarily be an improvement, but I can certainly see the case for warning when that is not happening.

[muescha]

For user ux the point (2) would be nice. Also if it passes the check.

I would like to see details on how its checked and if it fails or pass.

The cask installer prints out also other different task logs - why not with this task?

[jab]

+1 on what @muescha said. Actually being advised that cask is doing a checksum verification is much more useful information to me than some of the other things cask is already printing. And it's not like it's going to spam the console with many lines of noise; it's one extra line, which has a big security impact at that. Easy to take for granted when you don't live in one of these places or don't know anyone affected, but plenty of users are in countries where the government is known for actively man-in-the-middling connections to get malware on targets' computers. So this is a good opportunity to raise awareness about everything cask is doing to keep its users secure too.

[vitorgalvao]

which has a big security impact at that.

I’m not sure I agree it has any actual impact, seeing it’s just an informational message.

this is a good opportunity to raise awareness about everything cask is doing to keep its users secure too.

I can certainly get behind this idea, though. Regarding point 2, I was clearly the minority on this issue — I say “was” because I’m convinced, you all made valid points, and why not add it?

Pinging @phinze @passcod @nanoxd and @fanquake on this.

[jab]

Another reason to output the checksum (especially when --verbose is passed) is for debugging. Just hit a case where this could be helpful for debugging in #7136.

[vitorgalvao]

@Skivvies Your second point has already been address.

Closing in favour of #10380.