Homebrew 6.0.0 has been released, introducing third-party tap trust verification to enhance security.
Homebrew 6.0.0, the latest version of the package management tool for macOS and Linux, was released on June 11, 2026. Updates include 'tap trust,' which requires verification of the trust of third-party taps; standard enabling of the internal JSON API; a sandbox for Linux; improvements to brew bundle; performance enhancements; and initial support for macOS 27 'Golden Gate.'
Homebrew: 6.0.0
Homebrew is a convenient system that allows you to add necessary software with a single command. However, Homebrew does not directly manage the software itself; instead, it uses configuration files that describe 'where to download it from' and 'how to install it.' Configuration files for command-line tools are called 'formulas,' and configuration files for GUI applications are called 'casks.'
Homebrew taps are used as a source for distributing such formulas and casks. A tap is a repository that can distribute formulas and casks separately from the Homebrew core, and there are not only official Homebrew taps but also third-party taps managed by individuals and companies.
However, the formulas and casks included in a tap are not just simple lists. Homebrew may evaluate the Ruby code within a tap to check dependencies and proceed with the installation process, and if a third-party tap is malicious or compromised, it could potentially execute unintended code with the user's privileges. This means that a convenient extension like a tap can also become an entry point for software supply chain attacks.
Tap trust, introduced in Homebrew 6.0.0, is a new trust verification mechanism designed to mitigate these risks. Official Homebrew taps and built-in Homebrew commands are trusted by default, but third-party taps, formulas with explicit tap names, casks, and external commands require explicit trust before their code can be evaluated or executed. This reduces situations where the contents of an added tap are automatically loaded, minimizing damage from hijacking and name conflicts.
To trust only a specific formula, use 'brew trust --formula user/repo/formula,' and to trust only a cask, use 'brew trust --cask user/repo/cask.' While it's possible to trust the entire tap, Homebrew documentation explains that it's preferable to trust only the necessary formulas and casks. You can also add 'trusted: true' to your Brewfile, making it easier to specify which taps you trust in a team or automated environment.
Homebrew 6.0.0 also includes changes to reduce data traffic and update processing. The internal JSON API, which could be enabled with 'HOMEBREW_USE_INTERNAL_API' since Homebrew 5.0.0, is now standard. By retrieving Homebrew metadata in bulk, it speeds up processes such as 'brew update' and reduces network access.
In Linux environments, a sandbox using Bubblewrap has been introduced. A sandbox is a mechanism that restricts the scope of access during build, testing, and post-installation processing, and a similar type of protection was already in place on macOS. Homebrew 6.0.0 moves towards aligning the scope of protection with that of macOS, aiming to reduce the risk of build processes and other operations accessing sensitive files such as user credentials and SSH keys.
Furthermore, based on user feedback from Homebrew, the 'ask mode' feature, which displays a summary of dependencies and a confirmation prompt before changes are made, has become standard for 'brew install' and 'brew upgrade.' This makes it easier to notice unintended changes in your everyday package management, as you can see what has been changed before executing the command.
Regarding 'brew bundle,' which allows you to reproduce the same development environment on multiple machines, updates have been made, including the standard execution of parallel installation of formulas, support for npm and krew, an expanded cleanup function, and the addition of winget support on Windows.
In terms of performance, the startup process has been adjusted and the loading of Ruby libraries has been reduced, resulting in a roughly 30% faster 'brew leaves' command. Bottle information retrieval during upgrades has also been parallelized, improving the waiting time for commonly used commands.
Homebrew 6.0.0 also adds initial support for macOS 27 'Golden Gate' . Since macOS 27 will end support for Intel Macs, Homebrew plans to move macOS Intel x86_64 to Tier 3 in September 2026, discontinuing new bottle builds and CI support. Furthermore, in September 2027, support for macOS Intel x86_64 will be completely discontinued, and related code will be removed.
In addition to tap trust, several other security fixes are included. Homebrew has released three security advisories, fixing issues that allowed bypassing HTTPS-to-HTTP redirect protection, enabling root code execution via Git hooks in macOS's .pkg postinstall, and potentially allowing a local attacker to acquire ownership of Homebrew. Furthermore, improvements have been made to filter sensitive environment variables during Ruby evaluation, and an option to require checksums for cask has been added.
Homebrew has listed several measures to combat software supply chain attacks, such as those affecting npm and PyPI, including having human maintainers review changes to official taps, using sha256 checksums for formula downloads, building bottles with Homebrew's CI, and using sandboxes on macOS and Linux. However, the Homebrew team has also stated that 'this is not a resolved issue, and we are not claiming that Homebrew is immune to attacks,' and that they will continue to monitor the supply chain situation and take additional measures as needed.
Related Posts:
