admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Add comment explaining lack of signing workflow

Browse Source
This commit is contained in:
Joseph Sweeney 2024-04-30 10:10:43 -04:00
parent 65a90582b4
commit 0f5d19220c
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Library/Homebrew/attestation.rb
View File

@ -121,6 +121,14 @@ module Homebrew
url_sha256 = Digest::SHA256.hexdigest(bottle.url) url_sha256 = Digest::SHA256.hexdigest(bottle.url)
subject = "#{url_sha256}--#{bottle.filename}" subject = "#{url_sha256}--#{bottle.filename}"
# We don't pass in a signing worfklow for backfill signatures because
# some backfilled bottle signatures were signed from a branch, and others
# from main, so the signing workflow is slightly different which causes
# some bottles to incorrectly fail when checking their attestation.
# This shouldn't meaningfully affect security because if somehow someone
# could generate false backfill attestations from a different workflow
# we will still catch it because the attestation would have been
# generated after our cutoff date.
backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject
timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps", timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps",
0, "timestamp") 0, "timestamp")