Cryptographic Integrity and Authentication Validation of Homebrew Installer?

Question

Is there a way to install homebrew on MacOS such that anything downloaded from the Internet is cryptographically validated for integrity and authenticated to the actual publisher?

Unfortunately, the method listed on the official brew.sh website to install it on MacOS is a horribly insecure curl-piped-to-bash command

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

Note that https doesn't provide authentication since X.509 checks in curl trusts a ton of certificates (including certs issued by CAs owned by Nation States that have known history of committing cyber attacks, including active content manipulation over https via MITM attacks)

Ideally, these cryptographic checks would come in the form of a signed checksum file using gpg.

Is there any way to install brew in a way that provides cryptographic validation of the installer's integrity and authenticity?

Answer 1

No, this ability is not provided by the brew project.

As an open source and community run project, no-one is providing assurance of the installer's integrity and authenticity.

See brew's Vulnerability Disclosure Program for more details about the project's handling of security concerns.