| 
									
										
										
										
											2025-02-03 16:28:46 +01:00
										 |  |  | # typed: strict | 
					
						
							| 
									
										
										
										
											2025-02-03 16:23:09 +01:00
										 |  |  | # frozen_string_literal: true | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | require "abstract_command" | 
					
						
							|  |  |  | require "attestation" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | module Homebrew | 
					
						
							|  |  |  |   module DevCmd | 
					
						
							| 
									
										
										
										
											2025-02-03 17:08:55 +01:00
										 |  |  |     class Verify < AbstractCommand | 
					
						
							| 
									
										
										
										
											2025-02-03 16:23:09 +01:00
										 |  |  |       cmd_args do | 
					
						
							|  |  |  |         description <<~EOS | 
					
						
							|  |  |  |           Verify the build provenance of bottles using GitHub's attestation tools. | 
					
						
							| 
									
										
										
										
											2025-02-03 17:08:55 +01:00
										 |  |  |           This is done by first fetching the given bottles and then verifying | 
					
						
							| 
									
										
										
										
											2025-02-03 16:23:09 +01:00
										 |  |  |           their provenance. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |           Note that this command depends on the GitHub CLI. Run `brew install gh`. | 
					
						
							|  |  |  |         EOS | 
					
						
							|  |  |  |         flag   "--os=", | 
					
						
							|  |  |  |                description: "Download for the given operating system." \ | 
					
						
							|  |  |  |                             "(Pass `all` to download for all operating systems.)" | 
					
						
							|  |  |  |         flag   "--arch=", | 
					
						
							|  |  |  |                description: "Download for the given CPU architecture." \ | 
					
						
							|  |  |  |                             "(Pass `all` to download for all architectures.)" | 
					
						
							|  |  |  |         flag   "--bottle-tag=", | 
					
						
							|  |  |  |                description: "Download a bottle for given tag." | 
					
						
							|  |  |  |         switch "--deps", | 
					
						
							|  |  |  |                description: "Also download dependencies for any listed <formula>." | 
					
						
							|  |  |  |         switch "-f", "--force", | 
					
						
							|  |  |  |                description: "Remove a previously cached version and re-fetch." | 
					
						
							|  |  |  |         switch "-j", "--json", | 
					
						
							|  |  |  |                description: "Return JSON for the attestation data for each bottle." | 
					
						
							|  |  |  |         conflicts "--os", "--bottle-tag" | 
					
						
							|  |  |  |         conflicts "--arch", "--bottle-tag" | 
					
						
							|  |  |  |         named_args [:formula], min: 1
 | 
					
						
							|  |  |  |       end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       sig { override.void } | 
					
						
							|  |  |  |       def run | 
					
						
							|  |  |  |         bucket = if args.deps? | 
					
						
							|  |  |  |           args.named.to_formulae.flat_map do |formula| | 
					
						
							|  |  |  |             [formula, *formula.recursive_dependencies.map(&:to_formula)] | 
					
						
							|  |  |  |           end | 
					
						
							|  |  |  |         else | 
					
						
							|  |  |  |           args.named.to_formulae | 
					
						
							|  |  |  |         end.uniq | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         os_arch_combinations = args.os_arch_combinations | 
					
						
							|  |  |  |         json_results = [] | 
					
						
							|  |  |  |         bucket.each do |formula| | 
					
						
							|  |  |  |           os_arch_combinations.each do |os, arch| | 
					
						
							|  |  |  |             SimulateSystem.with(os:, arch:) do | 
					
						
							|  |  |  |               bottle_tag = if (bottle_tag = args.bottle_tag&.to_sym) | 
					
						
							|  |  |  |                 Utils::Bottles::Tag.from_symbol(bottle_tag) | 
					
						
							|  |  |  |               else | 
					
						
							|  |  |  |                 Utils::Bottles::Tag.new(system: os, arch:) | 
					
						
							|  |  |  |               end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |               bottle = formula.bottle_for_tag(bottle_tag) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-02-03 17:12:11 +01:00
										 |  |  |               if bottle | 
					
						
							|  |  |  |                 bottle.clear_cache if args.force? | 
					
						
							|  |  |  |                 bottle.fetch | 
					
						
							|  |  |  |                 begin | 
					
						
							|  |  |  |                   attestation = Homebrew::Attestation.check_core_attestation bottle | 
					
						
							|  |  |  |                   oh1 "#{bottle.filename} has a valid attestation" | 
					
						
							|  |  |  |                   json_results.push(attestation) | 
					
						
							|  |  |  |                 rescue Homebrew::Attestation::InvalidAttestationError => e | 
					
						
							|  |  |  |                   ofail <<~ERR | 
					
						
							|  |  |  |                     Failed to verify #{bottle.filename} with tag #{bottle_tag} due to error: | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |                     #{e} | 
					
						
							|  |  |  |                   ERR | 
					
						
							|  |  |  |                 end | 
					
						
							|  |  |  |               else | 
					
						
							| 
									
										
										
										
											2025-02-03 16:23:09 +01:00
										 |  |  |                 opoo "Bottle for tag #{bottle_tag.to_sym.inspect} is unavailable." | 
					
						
							|  |  |  |               end | 
					
						
							|  |  |  |             end | 
					
						
							|  |  |  |           end | 
					
						
							|  |  |  |         end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         puts json_results.to_json if args.json? | 
					
						
							|  |  |  |       end | 
					
						
							|  |  |  |     end | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | end |