Merge pull request #18485 from Homebrew/non-fatal-invalid-attestations

Library/Homebrew/attestation.rb

@@ -179,6 +179,8 @@ module Homebrew
       attestation
     end
 
+    ATTESTATION_MAX_RETRIES = 5
+
     # Verifies the given bottle against a cryptographic attestation of build provenance
     # from homebrew-core's CI, falling back on a "backfill" attestation for older bottles.
     #
@@ -246,6 +248,15 @@ module Homebrew
       end
 
       backfill_attestation
+    rescue InvalidAttestationError
+      @attestation_retry_count ||= T.let(Hash.new(0), T.nilable(T::Hash[Bottle, Integer]))
+      raise if @attestation_retry_count[bottle] >= ATTESTATION_MAX_RETRIES
+
+      sleep_time = 3 ** @attestation_retry_count[bottle]
+      opoo "Failed to verify attestation. Retrying in #{sleep_time}..."
+      sleep sleep_time if ENV["HOMEBREW_TESTS"].blank?
+      @attestation_retry_count[bottle] += 1
+      retry
     end
   end
 end

Library/Homebrew/test/attestation_spec.rb

@@ -259,7 +259,7 @@ RSpec.describe Homebrew::Attestation do
                               described_class::HOMEBREW_CORE_REPO, "--format", "json"],
               env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
               print_stderr: false, chdir: HOMEBREW_TEMP)
-        .once
+        .exactly(described_class::ATTESTATION_MAX_RETRIES + 1)
         .and_raise(described_class::MissingAttestationError)
 
       expect(described_class).to receive(:system_command!)
@@ -267,6 +267,7 @@ RSpec.describe Homebrew::Attestation do
                               described_class::BACKFILL_REPO, "--format", "json"],
               env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
               print_stderr: false, chdir: HOMEBREW_TEMP)
+        .exactly(described_class::ATTESTATION_MAX_RETRIES + 1)
         .and_return(fake_result_json_resp_too_new)
 
       expect do