You may want to set --require-sha as a default option in your Homebrew casks for extra security, either with the environment variable HOMEBREW_CASK_OPTS="--require-sha" or adding cask_args require_sha: true to your Brewfile.
The thing is, many casks do not have a SHA256 checksum since their download link is not versionable. This includes: chromium, google-chrome, logi-options+ (Ventura+), onyx, spotify. For more information, see Homebrew/homebrew-cask#147305. This will lead to this error:
...
==> Verifying checksum for '89947a18e10d5bbda8e2b5d15a60b6823353f019ea1a4b74e3d9c4f91248776e--chromium.rb'
==> Checking cask has checksum
Error: Cask 'chromium' does not have a sha256 checksum defined and was not installed.
This means you have the --require-sha option set, perhaps in your HOMEBREW_CASK_OPTS.
/opt/homebrew/Library/Homebrew/cask/installer.rb:177:in `verify_has_sha'
...Hopefully, in the future, a feature like pnpm's no-downgrade could be added, but for now, to quickly enable SHA256 checksum verification in your Brewfile, run the following command:
brew info --cask --quiet --json=v2 $(brew bundle --global list --cask --quiet) | jq -r '
.casks[]
| if .sha256 == "no_check" then
"cask \"\(.token)\" # See Homebrew/homebrew-cask#147305"
else
"cask \"\(.token)\", args: { require_sha: true }"
end
'This will output the casks portion of the Brewfile (minus pinning, extra args, etc.) into stdout and enable require_sha only on the casks that have a SHA256 checksum.