attestation: specialize error on incompatible gh

Signed-off-by: William Woodruff <william@yossarian.net>
2024-10-10 12:06:09 +01:00 · 2024-10-10 12:06:09 +01:00 · 0613050d59
commit 0613050d59
parent bdb9ed0531
2 changed files with 25 additions and 0 deletions
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@ -52,6 +52,12 @@ module Homebrew
    # @api private
    class GhAuthInvalid < RuntimeError; end

+    # Raised if attestation verification cannot continue due to `gh`
+    # being incompatible with attestations, typically because it's too old.
+    #
+    # @api private
+    class GhIncompatible < RuntimeError; end
+
    # Returns whether attestation verification is enabled.
    #
    # @api private
@ -136,6 +142,10 @@ module Homebrew
                                 env: { "GH_TOKEN" => credentials, "GH_HOST" => "github.com" },
                                 secrets: [credentials], print_stderr: false, chdir: HOMEBREW_TEMP)
      rescue ErrorDuringExecution => e
+        if e.status.exitstatus == 1 && e.stderr.include?("unknown command")
+          raise GhIncompatible, "gh CLI is incompatible with attestations"
+        end
+
        # Even if we have credentials, they may be invalid or malformed.
        if e.status.exitstatus == 4 || e.stderr.include?("HTTP 401: Bad credentials")
          raise GhAuthInvalid, "invalid credentials"
--- a/Library/Homebrew/formula_installer.rb
+++ b/Library/Homebrew/formula_installer.rb
@ -1343,6 +1343,21 @@ on_request: installed_on_request?, options:)
      ohai "Verifying attestation for #{formula.name}"
      begin
        Homebrew::Attestation.check_core_attestation T.must(formula.bottle)
+      rescue Homebrew::Attestation::GhIncompatible
+        # A small but significant number of users have developer mode enabled
+        # but *also* haven't upgraded in a long time, meaning that their `gh`
+        # version is too old to perform attestations.
+        raise CannotInstallFormulaError, <<~EOS
+          The bottle for #{formula.name} could not be verified.
+
+          This typically indicates an outdated or incompatible `gh` CLI.
+
+          Please confirm that you're running the latest version of `gh`
+          by performing an upgrade before retrying:
+
+            brew update
+            brew upgrade gh
+        EOS
      rescue Homebrew::Attestation::GhAuthInvalid
        # Only raise an error if we explicitly opted-in to verification.
        raise CannotInstallFormulaError, <<~EOS if Homebrew::EnvConfig.verify_attestations?