From 65a90582b4d0202c753268aeaaa7752615b41bfa Mon Sep 17 00:00:00 2001 From: Joseph Sweeney Date: Tue, 30 Apr 2024 09:52:04 -0400 Subject: [PATCH] Remove a flag for backfill attestation checks Some backfilled bottle signatures were signed from a branch, and others from main, so the signing workflow is slightly different which causes some bottles to incorrectly fail when checking their attestation (apr for example). The simplest way to solve this is just removing the backfill repo `cert-identity` check and just rely on the repository and attestation date falling before our cutoff. This shouldn't meaningfully affect security because if somehow someone could generate false backfill attestations from a different workflow (the only case this protects against), we will still catch it because the attestation would have been generated after our cutoff date. --- Library/Homebrew/attestation.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb index 63678dc1db..050c4c5233 100644 --- a/Library/Homebrew/attestation.rb +++ b/Library/Homebrew/attestation.rb @@ -121,7 +121,7 @@ module Homebrew url_sha256 = Digest::SHA256.hexdigest(bottle.url) subject = "#{url_sha256}--#{bottle.filename}" - backfill_attestation = check_attestation bottle, BACKFILL_REPO, BACKFILL_REPO_CI_URI, subject + backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps", 0, "timestamp")