Add comment explaining lack of signing workflow

2024-04-30 10:10:43 -04:00 · 2024-04-30 10:10:43 -04:00 · 0f5d19220c
commit 0f5d19220c
parent 65a90582b4
1 changed files with 8 additions and 0 deletions
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@ -121,6 +121,14 @@ module Homebrew
        url_sha256 = Digest::SHA256.hexdigest(bottle.url)
        subject = "#{url_sha256}--#{bottle.filename}"

+        # We don't pass in a signing worfklow for backfill signatures because
+        # some backfilled bottle signatures were signed from a branch, and others
+        # from main, so the signing workflow is slightly different which causes
+        # some bottles to incorrectly fail when checking their attestation.
+        # This shouldn't meaningfully affect security because if somehow someone
+        # could generate false backfill attestations from a different workflow
+        # we will still catch it because the attestation would have been
+        # generated after our cutoff date.
        backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject
        timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps",
                                             0, "timestamp")