admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Ensure early installation of gh for attestations

Browse Source
This commit is contained in:
Nanda H Krishna 2024-07-15 11:39:22 -04:00
parent 94592054a8
commit 3bb91601fb
No known key found for this signature in database
GPG Key ID: 067E5FCD58ADF3AA
2 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Library/Homebrew/attestation.rb
View File

@ -57,6 +57,16 @@ module Homebrew
Homebrew::EnvConfig.developer? || Homebrew::EnvConfig.devcmdrun? Homebrew::EnvConfig.developer? || Homebrew::EnvConfig.devcmdrun?
end end
# Ensures the availability of a suitable `gh` executable for attestation verification.
#
# @api private
sig { returns(Pathname) }
def self.ensure_gh_installed!
return @gh_executable if @gh_executable.present?
gh_executable
end
# Returns a path to a suitable `gh` executable for attestation verification. # Returns a path to a suitable `gh` executable for attestation verification.
# #
# @api private # @api private
@ -65,9 +75,20 @@ module Homebrew
# NOTE: We set HOMEBREW_NO_VERIFY_ATTESTATIONS when installing `gh` itself, # NOTE: We set HOMEBREW_NO_VERIFY_ATTESTATIONS when installing `gh` itself,
# to prevent a cycle during bootstrapping. This can eventually be resolved # to prevent a cycle during bootstrapping. This can eventually be resolved
# by vendoring a pure-Ruby Sigstore verifier client. # by vendoring a pure-Ruby Sigstore verifier client.
@gh_executable ||= T.let(with_env(HOMEBREW_NO_VERIFY_ATTESTATIONS: "1") do return @gh_executable if @gh_executable.present?
ensure_executable!("gh")
end, T.nilable(Pathname)) with_env(HOMEBREW_NO_VERIFY_ATTESTATIONS: "1") do
@gh_executable = ensure_executable!("gh")
gh_version = Version.new(system_command!(@gh_executable, args: ["--version"], print_stderr: false)
.stdout.match(/\d+(?:\.\d+)+/i).to_s)
if gh_version < GH_ATTESTATION_MIN_VERSION
@gh_executable = ensure_formula_installed!("gh", latest: true,
reason: "verifying attestations").opt_bin/"gh"
end
end
@gh_executable
end end
# Verifies the given bottle against a cryptographic attestation of build provenance. # Verifies the given bottle against a cryptographic attestation of build provenance.

8
Library/Homebrew/cmd/install.rb
View File

@ -263,6 +263,14 @@ module Homebrew
end end
end end
if Homebrew::Attestation.enabled?
if formulae.include?(Formula["gh"])
formulae.unshift(formulae.delete(Formula["gh"]))
else
Homebrew::Attestation.ensure_gh_installed!
end
end
# if the user's flags will prevent bottle only-installations when no # if the user's flags will prevent bottle only-installations when no
# developer tools are available, we need to stop them early on # developer tools are available, we need to stop them early on
build_flags = [] build_flags = []