admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Remove a flag for backfill attestation checks

Browse Source 
Some backfilled bottle signatures were signed from a branch, and others
from main, so the signing workflow is slightly different which causes
some bottles to incorrectly fail when checking their attestation (apr
for example). The simplest way to solve this is just removing the
backfill repo `cert-identity` check and just rely on the repository and
attestation date falling before our cutoff. This shouldn't meaningfully
affect security because if somehow someone could generate false backfill
attestations from a different workflow (the only case this protects
against), we will still catch it because the attestation would have been
generated after our cutoff date.
This commit is contained in:
Joseph Sweeney 2024-04-30 09:52:04 -04:00
parent 60657d382b
commit 65a90582b4
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Library/Homebrew/attestation.rb
View File

@ -121,7 +121,7 @@ module Homebrew
url_sha256 = Digest::SHA256.hexdigest(bottle.url) url_sha256 = Digest::SHA256.hexdigest(bottle.url)
subject = "#{url_sha256}--#{bottle.filename}" subject = "#{url_sha256}--#{bottle.filename}"
backfill_attestation = check_attestation bottle, BACKFILL_REPO, BACKFILL_REPO_CI_URI, subject backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject
timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps", timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps",
0, "timestamp") 0, "timestamp")