attestation: handle mirrored bottles correctly

Signed-off-by: William Woodruff <william@yossarian.net>
2024-07-26 14:26:45 -04:00 · 2024-07-26 14:26:45 -04:00 · 6e2975d026
commit 6e2975d026
parent e1b4f8c536
1 changed files with 12 additions and 2 deletions
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@ -188,7 +188,7 @@ module Homebrew
        end
      end

-      raise InvalidAttestationError, "no attestation matches subject" if attestation.blank?
+      raise InvalidAttestationError, "no attestation matches subject: #{subject}" if attestation.blank?

      attestation
    end
@ -227,7 +227,17 @@ module Homebrew
        # This was originally unintentional, but has a virtuous side effect of further
        # limiting domain separation on the backfilled signatures (by committing them to
        # their original bottle URLs).
-        url_sha256 = Digest::SHA256.hexdigest(bottle.url)
+        url_sha256 = if EnvConfig.bottle_domain == HOMEBREW_BOTTLE_DEFAULT_DOMAIN
+          Digest::SHA256.hexdigest(bottle.url)
+        else
+          # If our bottle is coming from a mirror, we need to recompute the expected
+          # non-mirror URL to make the hash match.
+          path, = Utils::Bottles.path_resolved_basename HOMEBREW_BOTTLE_DEFAULT_DOMAIN, bottle.name,
+                                                        bottle.resource.checksum, bottle.filename
+          url = "#{HOMEBREW_BOTTLE_DEFAULT_DOMAIN}/#{path}"
+
+          Digest::SHA256.hexdigest(url)
+        end
        subject = "#{url_sha256}--#{bottle.filename}"

        # We don't pass in a signing workflow for backfill signatures because