diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb index 853643465f..4e2510ab77 100644 --- a/Library/Homebrew/attestation.rb +++ b/Library/Homebrew/attestation.rb @@ -179,6 +179,8 @@ module Homebrew attestation end + ATTESTATION_MAX_RETRIES = 5 + # Verifies the given bottle against a cryptographic attestation of build provenance # from homebrew-core's CI, falling back on a "backfill" attestation for older bottles. # @@ -246,6 +248,15 @@ module Homebrew end backfill_attestation + rescue InvalidAttestationError + @attestation_retry_count ||= T.let(Hash.new(0), T.nilable(T::Hash[Bottle, Integer])) + raise if @attestation_retry_count[bottle] >= ATTESTATION_MAX_RETRIES + + sleep_time = 3 ** @attestation_retry_count[bottle] + opoo "Failed to verify attestation. Retrying in #{sleep_time}..." + sleep sleep_time if ENV["HOMEBREW_TESTS"].blank? + @attestation_retry_count[bottle] += 1 + retry end end end diff --git a/Library/Homebrew/test/attestation_spec.rb b/Library/Homebrew/test/attestation_spec.rb index 7a7f32662a..48d8557717 100644 --- a/Library/Homebrew/test/attestation_spec.rb +++ b/Library/Homebrew/test/attestation_spec.rb @@ -259,7 +259,7 @@ RSpec.describe Homebrew::Attestation do described_class::HOMEBREW_CORE_REPO, "--format", "json"], env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds], print_stderr: false, chdir: HOMEBREW_TEMP) - .once + .exactly(described_class::ATTESTATION_MAX_RETRIES + 1) .and_raise(described_class::MissingAttestationError) expect(described_class).to receive(:system_command!) @@ -267,6 +267,7 @@ RSpec.describe Homebrew::Attestation do described_class::BACKFILL_REPO, "--format", "json"], env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds], print_stderr: false, chdir: HOMEBREW_TEMP) + .exactly(described_class::ATTESTATION_MAX_RETRIES + 1) .and_return(fake_result_json_resp_too_new) expect do