admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

attestation: document BACKFILL_CUTOFF better

Browse Source 
Signed-off-by: William Woodruff <william@yossarian.net>
This commit is contained in:
William Woodruff 2024-04-09 10:50:49 -04:00
parent a3a5f78de3
commit 5ec3dab141
No known key found for this signature in database
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Library/Homebrew/attestation.rb
View File

@ -19,6 +19,14 @@ module Homebrew
BACKFILL_REPO_CI_URI = "https://github.com/trailofbits/homebrew-brew-verify/.github/workflows/backfill_signatures.yml@refs/heads/main" BACKFILL_REPO_CI_URI = "https://github.com/trailofbits/homebrew-brew-verify/.github/workflows/backfill_signatures.yml@refs/heads/main"
# No backfill attestations after this date are considered valid. # No backfill attestations after this date are considered valid.
#
# This date is shortly after the backfill operation for homebrew-core
# completed, as can be seen here: <https://github.com/trailofbits/homebrew-brew-verify/attestations>.
#
# In effect, this means that, even if an attacker is able to compromise the backfill
# signing workflow, they will be unable to convince a verifier to accept their newer,
# malicious backfilled signatures.
#
# @api private # @api private
BACKFILL_CUTOFF = DateTime.new(2024, 3, 14).freeze BACKFILL_CUTOFF = DateTime.new(2024, 3, 14).freeze