Implement verify_download_integrity for bottle manifests.

2024-07-13 16:50:53 -04:00 · 2024-07-13 16:50:53 -04:00 · ae6f43921a
commit ae6f43921a
parent 05f07953fe
2 changed files with 14 additions and 16 deletions
--- a/Library/Homebrew/resource.rb
+++ b/Library/Homebrew/resource.rb
@ -269,6 +269,8 @@ class Resource < Downloadable

  # A resource for a bottle manifest.
  class BottleManifest < Resource
+    class Error < RuntimeError; end
+
    attr_reader :bottle

    def initialize(bottle)
@ -277,22 +279,25 @@ class Resource < Downloadable
    end

    def verify_download_integrity(_filename)
-      # no-op
+      # We don't have a checksum, but we can at least try parsing it.
+      tab
+    rescue Error => e
+      raise DownloadError.new(self, e)
    end

    def tab
      json = begin
        JSON.parse(cached_download.read)
      rescue JSON::ParserError
-        raise "The downloaded GitHub Packages manifest was corrupted or modified (it is not valid JSON): " \
+        raise Error, "The downloaded GitHub Packages manifest was corrupted or modified (it is not valid JSON): " \
                     "\n#{cached_download}"
      end

      manifests = json["manifests"]
-      raise ArgumentError, "Missing 'manifests' section." if manifests.blank?
+      raise Error, "Missing 'manifests' section." if manifests.blank?

      manifests_annotations = manifests.filter_map { |m| m["annotations"] }
-      raise ArgumentError, "Missing 'annotations' section." if manifests_annotations.blank?
+      raise Error, "Missing 'annotations' section." if manifests_annotations.blank?

      bottle_digest = bottle.resource.checksum.hexdigest
      image_ref = GitHubPackages.version_rebuild(bottle.resource.version, bottle.rebuild, bottle.tag.to_s)
@ -301,15 +306,15 @@ class Resource < Downloadable

        m["org.opencontainers.image.ref.name"] == image_ref
      end
-      raise ArgumentError, "Couldn't find manifest matching bottle checksum." if manifest_annotations.blank?
+      raise Error, "Couldn't find manifest matching bottle checksum." if manifest_annotations.blank?

      tab = manifest_annotations["sh.brew.tab"]
-      raise ArgumentError, "Couldn't find tab from manifest." if tab.blank?
+      raise Error, "Couldn't find tab from manifest." if tab.blank?

      begin
        JSON.parse(tab)
      rescue JSON::ParserError
-        raise ArgumentError, "Couldn't parse tab JSON."
+        raise Error, "Couldn't parse tab JSON."
      end
    end
  end
--- a/Library/Homebrew/software_spec.rb
+++ b/Library/Homebrew/software_spec.rb
@ -392,14 +392,7 @@ class Bottle
  def fetch_tab
    return if github_packages_manifest_resource.blank?

-    # a checksum is used later identifying the correct tab but we do not have the checksum for the manifest/tab
-    github_packages_manifest_resource.fetch(verify_download_integrity: false)
-
-    begin
-      github_packages_manifest_resource.tab
-    rescue RuntimeError => e
-      raise DownloadError.new(github_packages_manifest_resource, e)
-    end
+    github_packages_manifest_resource.fetch
  rescue DownloadError
    raise unless fallback_on_error