attestation: strict typechecking

Signed-off-by: William Woodruff <william@yossarian.net>
2024-04-09 11:03:41 -04:00 · 2024-04-09 11:03:41 -04:00 · 6e10001d49
commit 6e10001d49
parent 2efef36313
1 changed files with 10 additions and 4 deletions
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true

 require "date"
@ -28,7 +28,7 @@ module Homebrew
    # malicious backfilled signatures.
    #
    # @api private
-    BACKFILL_CUTOFF = DateTime.new(2024, 3, 14).freeze
+    BACKFILL_CUTOFF = T.let(DateTime.new(2024, 3, 14).freeze, DateTime)

    # Raised when attestation verification fails.
    #
@ -38,13 +38,14 @@ module Homebrew
    # Returns a path to a suitable `gh` executable for attestation verification.
    #
    # @api private
+    sig { returns(Pathname) }
    def self.gh_executable
      # NOTE: We disable HOMEBREW_VERIFY_ATTESTATIONS when installing `gh` itself,
      # to prevent a cycle during bootstrapping. This can eventually be resolved
      # by vendoring a pure-Ruby Sigstore verifier client.
-      @gh_executable ||= with_env("HOMEBREW_VERIFY_ATTESTATIONS" => nil) do
+      @gh_executable ||= T.let(with_env("HOMEBREW_VERIFY_ATTESTATIONS" => nil) do
        ensure_executable!("gh")
-      end
+      end, T.nilable(Pathname))
    end

    # Verifies the given bottle against a cryptographic attestation of build provenance.
@ -60,6 +61,10 @@ module Homebrew
    # @raise [InvalidAttestationError] on any verification failures
    #
    # @api private
+    sig {
+      params(bottle: Bottle, signing_repo: String,
+             signing_workflow: T.nilable(String)).returns(T::Hash[T.untyped, T.untyped])
+    }
    def self.check_attestation(bottle, signing_repo, signing_workflow = nil)
      cmd = [gh_executable, "attestation", "verify", bottle.cached_download, "--repo", signing_repo, "--format",
             "json"]
@ -92,6 +97,7 @@ module Homebrew
    # @raise [InvalidAttestationError] on any verification failures
    #
    # @api private
+    sig { params(bottle: Bottle).returns(T::Hash[T.untyped, T.untyped]) }
    def self.check_core_attestation(bottle)
      begin
        attestation = check_attestation bottle, HOMEBREW_CORE_REPO