Last November, Alpha-Omega and Trail of Bits announced a collaboration to bring build provenance to homebrew-core.
Today, we are pleased to announce that the core of that work is live and in public beta: homebrew-core is now using Sigstore to cryptographically attest to all bottles built in the official Homebrew CI.
This is aligned with Sigstore’s mission: to support frictionless and transparent provenance on all artifact registries.
Homebrew’s build provenance follows last year’s npm provenance feature, making Homebrew the second major packaging ecosystem to adopt Sigstore!
In other words, going forwards, each bottle built by Homebrew will come with a cryptographically verifiable statement binding the bottleās content to the specific workflow and other build-time metadata that produced it.
This metadata includes (among other things) the git commit and GitHub Actions run ID for the workflow that produced the bottle, making it a SLSA Build L2-compatible attestation:
This work is still in early beta, and involves features still under active development within both Homebrew and GitHub.
However, for the adventurous, we recommend checking out the Trail of Bits blog for a longer explainer on Homebrew’s build provenance, how it was implemented, and how early adopters can begin to play with it!