admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

attestation: remove gh version detection

Browse Source 
I'm declaring bankruptcy on this entire approach:

1. We can attempt to match on versions, but this will fail
   when the version of `gh` installed is built from `HEAD`
   or similar.
2. We can match on dates instead (since `gh --version` also includes
   the date), but this is even more brittle + implies a support
   contract we don't actually have (we don't actually want
   to say we support random dated builds between public releases
   of `gh`).

This moves us back to a simpler approach: if `gh` is present,
we use it. If `gh` is not present, we attempt to install it
with `ensure_executable!`. If the user's `gh` is present but too old,
it'll fail during attestation verification with a reasonable error,
which IMO is fine for now since this is all still in beta.

Signed-off-by: William Woodruff <william@yossarian.net>
This commit is contained in:
William Woodruff 2024-07-29 12:59:29 -04:00
parent 38e47ea996
commit 5e0e0d56af
No known key found for this signature in database
3 changed files with 8 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Library/Homebrew/attestation.rb
View File

@ -15,9 +15,6 @@ module Homebrew
# @api private # @api private
HOMEBREW_CORE_REPO = "Homebrew/homebrew-core" HOMEBREW_CORE_REPO = "Homebrew/homebrew-core"
# @api private
GH_ATTESTATION_MIN_VERSION = T.let(Version.new("2.49.0").freeze, Version)
# @api private # @api private
BACKFILL_REPO = "trailofbits/homebrew-brew-verify" BACKFILL_REPO = "trailofbits/homebrew-brew-verify"
@ -74,25 +71,14 @@ module Homebrew
# @api private # @api private
sig { returns(Pathname) } sig { returns(Pathname) }
def self.gh_executable def self.gh_executable
# NOTE: We set HOMEBREW_NO_VERIFY_ATTESTATIONS when installing `gh` itself,
# to prevent a cycle during bootstrapping. This can eventually be resolved
# by vendoring a pure-Ruby Sigstore verifier client.
@gh_executable ||= T.let(nil, T.nilable(Pathname)) @gh_executable ||= T.let(nil, T.nilable(Pathname))
return @gh_executable if @gh_executable.present? return @gh_executable if @gh_executable.present?
# NOTE: We set HOMEBREW_NO_VERIFY_ATTESTATIONS when installing `gh` itself,
# to prevent a cycle during bootstrapping. This can eventually be resolved
# by vendoring a pure-Ruby Sigstore verifier client.
with_env(HOMEBREW_NO_VERIFY_ATTESTATIONS: "1") do with_env(HOMEBREW_NO_VERIFY_ATTESTATIONS: "1") do
@gh_executable = ensure_executable!("gh", reason: "verifying attestations") @gh_executable = ensure_executable!("gh", reason: "verifying attestations", latest: true)
gh_version = Version.new(system_command!(@gh_executable, args: ["--version"], print_stderr: false)
.stdout.match(/\d+(?:\.\d+)+/i).to_s)
if gh_version < GH_ATTESTATION_MIN_VERSION
if Formula["gh"].version < GH_ATTESTATION_MIN_VERSION
raise "#{@gh_executable} is too old, you must upgrade it to >=#{GH_ATTESTATION_MIN_VERSION} to continue"
end
@gh_executable = ensure_formula_installed!("gh", latest: true,
reason: "verifying attestations").opt_bin/"gh"
end
end end
T.must(@gh_executable) T.must(@gh_executable)

2
Library/Homebrew/extend/kernel.rb
View File

@ -425,7 +425,7 @@ module Kernel
end end
# Ensure the given executable is exist otherwise install the brewed version # Ensure the given executable is exist otherwise install the brewed version
def ensure_executable!(name, formula_name = nil, reason: "") def ensure_executable!(name, formula_name = nil, reason: "", latest: false)
formula_name ||= name formula_name ||= name
executable = [ executable = [

23
Library/Homebrew/test/attestation_spec.rb
View File

@ -6,9 +6,6 @@ RSpec.describe Homebrew::Attestation do
let(:fake_gh) { Pathname.new("/extremely/fake/gh") } let(:fake_gh) { Pathname.new("/extremely/fake/gh") }
let(:fake_old_gh) { Pathname.new("/extremely/fake/old/gh") } let(:fake_old_gh) { Pathname.new("/extremely/fake/old/gh") }
let(:fake_gh_creds) { "fake-gh-api-token" } let(:fake_gh_creds) { "fake-gh-api-token" }
let(:fake_gh_formula) { instance_double(Formula, "gh", opt_bin: Pathname.new("/extremely/fake")) }
let(:fake_gh_version) { instance_double(SystemCommand::Result, stdout: "2.49.0") }
let(:fake_old_gh_version) { instance_double(SystemCommand::Result, stdout: "2.48.0") }
let(:fake_error_status) { instance_double(Process::Status, exitstatus: 1, termsig: nil) } let(:fake_error_status) { instance_double(Process::Status, exitstatus: 1, termsig: nil) }
let(:fake_auth_status) { instance_double(Process::Status, exitstatus: 4, termsig: nil) } let(:fake_auth_status) { instance_double(Process::Status, exitstatus: 4, termsig: nil) }
let(:cached_download) { "/fake/cached/download" } let(:cached_download) { "/fake/cached/download" }
@ -69,24 +66,10 @@ RSpec.describe Homebrew::Attestation do
end end
describe "::gh_executable" do describe "::gh_executable" do
before do it "calls ensure_executable" do
allow(Formulary).to receive(:factory)
.with("gh")
.and_return(instance_double(Formula, version: Version.new("2.49.0")))
allow(described_class).to receive(:system_command!)
.with(fake_old_gh, args: ["--version"], print_stderr: false)
.and_return(fake_old_gh_version)
end
it "calls ensure_executable and ensure_formula_installed" do
expect(described_class).to receive(:ensure_executable!) expect(described_class).to receive(:ensure_executable!)
.with("gh", reason: "verifying attestations") .with("gh", reason: "verifying attestations", latest: true)
.and_return(fake_old_gh) .and_return(fake_gh)
expect(described_class).to receive(:ensure_formula_installed!)
.with("gh", latest: true, reason: "verifying attestations")
.and_return(fake_gh_formula)
described_class.gh_executable described_class.gh_executable
end end