admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

attestation: handle :all bottles

Browse Source 
Signed-off-by: William Woodruff <william@yossarian.net>
This commit is contained in:
William Woodruff 2024-06-06 11:23:03 -04:00
parent e9d989bdea
commit 8d0e6eafc3
No known key found for this signature in database
2 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Library/Homebrew/attestation.rb
View File

@ -103,8 +103,22 @@ module Homebrew
# for all attestations that match the input's digest. We want to additionally
# filter these down to just the attestation whose subject matches the bottle's name.
subject = bottle.filename.to_s if subject.blank?
attestation = attestations.find do |a|
a.dig("verificationResult", "statement", "subject", 0, "name") == subject
attestation = if bottle.tag.to_sym == :all
# :all-tagged bottles are created by `brew bottle --merge`, and are not directly
# bound to their own filename (since they're created by deduplicating other filenames).
# To verify these, we parse each attestation subject and look for one with a matching
# formula (name, version), but not an exact tag match.
# This is sound insofar as the signature has already been verified. However,
# longer term, we should also directly attest to `:all`-tagged bottles.
attestations.find do |a|
subject = a.dig("verificationResult", "statement", "subject", 0, "name")
subject.start_with? "#{bottle.filename.name}--#{bottle.filename.version}"
end
else
attestations.find do |a|
a.dig("verificationResult", "statement", "subject", 0, "name") == subject
end
end
raise InvalidAttestationError, "no attestation matches subject" if attestation.blank?

3
Library/Homebrew/test/attestation_spec.rb
View File

@ -10,8 +10,9 @@ RSpec.describe Homebrew::Attestation do
let(:cached_download) { "/fake/cached/download" }
let(:fake_bottle_filename) { instance_double(Bottle::Filename, to_s: "fakebottle--1.0.faketag.bottle.tar.gz") }
let(:fake_bottle_url) { "https://example.com/#{fake_bottle_filename}" }
let(:fake_bottle_tag) { instance_double(Utils::Bottles::Tag, to_sym: :faketag) }
let(:fake_bottle) do
instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url)
instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url, tag: fake_bottle_tag)
end
let(:fake_result_invalid_json) { instance_double(SystemCommand::Result, stdout: "\"invalid JSON") }
let(:fake_result_json_resp) do