From 0f5d19220ca3a453c0ad2f3c8ad947a4ea8c062f Mon Sep 17 00:00:00 2001
From: Joseph Sweeney <joe.sweeney@trailofbits.com>
Date: Tue, 30 Apr 2024 10:10:43 -0400
Subject: [PATCH] Add comment explaining lack of signing workflow

---
 Library/Homebrew/attestation.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb
index 050c4c5233..fbf55495af 100644
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@@ -121,6 +121,14 @@ module Homebrew
         url_sha256 = Digest::SHA256.hexdigest(bottle.url)
         subject = "#{url_sha256}--#{bottle.filename}"
 
+        # We don't pass in a signing worfklow for backfill signatures because
+        # some backfilled bottle signatures were signed from a branch, and others
+        # from main, so the signing workflow is slightly different which causes
+        # some bottles to incorrectly fail when checking their attestation.
+        # This shouldn't meaningfully affect security because if somehow someone
+        # could generate false backfill attestations from a different workflow
+        # we will still catch it because the attestation would have been
+        # generated after our cutoff date.
         backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject
         timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps",
                                              0, "timestamp")