admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #17878 from Homebrew/ww/mirrored-bottle-attestations

Browse Source
This commit is contained in:
William Woodruff 2024-07-26 14:48:54 -04:00 committed by GitHub
commit 0b2a74dcd9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Library/Homebrew/attestation.rb
View File

@ -188,7 +188,7 @@ module Homebrew
end end
end end
raise InvalidAttestationError, "no attestation matches subject" if attestation.blank? raise InvalidAttestationError, "no attestation matches subject: #{subject}" if attestation.blank?
attestation attestation
end end
@ -227,7 +227,17 @@ module Homebrew
# This was originally unintentional, but has a virtuous side effect of further # This was originally unintentional, but has a virtuous side effect of further
# limiting domain separation on the backfilled signatures (by committing them to # limiting domain separation on the backfilled signatures (by committing them to
# their original bottle URLs). # their original bottle URLs).
url_sha256 = Digest::SHA256.hexdigest(bottle.url) url_sha256 = if EnvConfig.bottle_domain == HOMEBREW_BOTTLE_DEFAULT_DOMAIN
Digest::SHA256.hexdigest(bottle.url)
else
# If our bottle is coming from a mirror, we need to recompute the expected
# non-mirror URL to make the hash match.
path, = Utils::Bottles.path_resolved_basename HOMEBREW_BOTTLE_DEFAULT_DOMAIN, bottle.name,
bottle.resource.checksum, bottle.filename
url = "#{HOMEBREW_BOTTLE_DEFAULT_DOMAIN}/#{path}"
Digest::SHA256.hexdigest(url)
end
subject = "#{url_sha256}--#{bottle.filename}" subject = "#{url_sha256}--#{bottle.filename}"
# We don't pass in a signing workflow for backfill signatures because # We don't pass in a signing workflow for backfill signatures because