admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

attestation: specialize error on incompatible gh

Browse Source 
Signed-off-by: William Woodruff <william@yossarian.net>
This commit is contained in:
William Woodruff 2024-10-10 12:06:09 +01:00
parent bdb9ed0531
commit 0613050d59
No known key found for this signature in database
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Library/Homebrew/attestation.rb
View File

@ -52,6 +52,12 @@ module Homebrew
# @api private # @api private
class GhAuthInvalid < RuntimeError; end class GhAuthInvalid < RuntimeError; end
# Raised if attestation verification cannot continue due to `gh`
# being incompatible with attestations, typically because it's too old.
#
# @api private
class GhIncompatible < RuntimeError; end
# Returns whether attestation verification is enabled. # Returns whether attestation verification is enabled.
# #
# @api private # @api private
@ -136,6 +142,10 @@ module Homebrew
env: { "GH_TOKEN" => credentials, "GH_HOST" => "github.com" }, env: { "GH_TOKEN" => credentials, "GH_HOST" => "github.com" },
secrets: [credentials], print_stderr: false, chdir: HOMEBREW_TEMP) secrets: [credentials], print_stderr: false, chdir: HOMEBREW_TEMP)
rescue ErrorDuringExecution => e rescue ErrorDuringExecution => e
if e.status.exitstatus == 1 && e.stderr.include?("unknown command")
raise GhIncompatible, "gh CLI is incompatible with attestations"
end
# Even if we have credentials, they may be invalid or malformed. # Even if we have credentials, they may be invalid or malformed.
if e.status.exitstatus == 4 || e.stderr.include?("HTTP 401: Bad credentials") if e.status.exitstatus == 4 || e.stderr.include?("HTTP 401: Bad credentials")
raise GhAuthInvalid, "invalid credentials" raise GhAuthInvalid, "invalid credentials"

15
Library/Homebrew/formula_installer.rb
View File

@ -1343,6 +1343,21 @@ on_request: installed_on_request?, options:)
ohai "Verifying attestation for #{formula.name}" ohai "Verifying attestation for #{formula.name}"
begin begin
Homebrew::Attestation.check_core_attestation T.must(formula.bottle) Homebrew::Attestation.check_core_attestation T.must(formula.bottle)
rescue Homebrew::Attestation::GhIncompatible
# A small but significant number of users have developer mode enabled
# but *also* haven't upgraded in a long time, meaning that their `gh`
# version is too old to perform attestations.
raise CannotInstallFormulaError, <<~EOS
The bottle for #{formula.name} could not be verified.
This typically indicates an outdated or incompatible `gh` CLI.
Please confirm that you're running the latest version of `gh`
by performing an upgrade before retrying:
brew update
brew upgrade gh
EOS
rescue Homebrew::Attestation::GhAuthInvalid rescue Homebrew::Attestation::GhAuthInvalid
# Only raise an error if we explicitly opted-in to verification. # Only raise an error if we explicitly opted-in to verification.
raise CannotInstallFormulaError, <<~EOS if Homebrew::EnvConfig.verify_attestations? raise CannotInstallFormulaError, <<~EOS if Homebrew::EnvConfig.verify_attestations?