diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb index 2e53cabca7..aa8d8f5422 100644 --- a/Library/Homebrew/attestation.rb +++ b/Library/Homebrew/attestation.rb @@ -103,8 +103,22 @@ module Homebrew # for all attestations that match the input's digest. We want to additionally # filter these down to just the attestation whose subject matches the bottle's name. subject = bottle.filename.to_s if subject.blank? - attestation = attestations.find do |a| - a.dig("verificationResult", "statement", "subject", 0, "name") == subject + + attestation = if bottle.tag.to_sym == :all + # :all-tagged bottles are created by `brew bottle --merge`, and are not directly + # bound to their own filename (since they're created by deduplicating other filenames). + # To verify these, we parse each attestation subject and look for one with a matching + # formula (name, version), but not an exact tag match. + # This is sound insofar as the signature has already been verified. However, + # longer term, we should also directly attest to `:all`-tagged bottles. + attestations.find do |a| + actual_subject = a.dig("verificationResult", "statement", "subject", 0, "name") + actual_subject.start_with? "#{bottle.filename.name}--#{bottle.filename.version}" + end + else + attestations.find do |a| + a.dig("verificationResult", "statement", "subject", 0, "name") == subject + end end raise InvalidAttestationError, "no attestation matches subject" if attestation.blank? diff --git a/Library/Homebrew/test/attestation_spec.rb b/Library/Homebrew/test/attestation_spec.rb index a6a37bfb61..097861eff5 100644 --- a/Library/Homebrew/test/attestation_spec.rb +++ b/Library/Homebrew/test/attestation_spec.rb @@ -8,10 +8,20 @@ RSpec.describe Homebrew::Attestation do let(:fake_error_status) { instance_double(Process::Status, exitstatus: 1, termsig: nil) } let(:fake_auth_status) { instance_double(Process::Status, exitstatus: 4, termsig: nil) } let(:cached_download) { "/fake/cached/download" } - let(:fake_bottle_filename) { instance_double(Bottle::Filename, to_s: "fakebottle--1.0.faketag.bottle.tar.gz") } + let(:fake_bottle_filename) do + instance_double(Bottle::Filename, name: "fakebottle", version: "1.0", + to_s: "fakebottle--1.0.faketag.bottle.tar.gz") + end let(:fake_bottle_url) { "https://example.com/#{fake_bottle_filename}" } + let(:fake_bottle_tag) { instance_double(Utils::Bottles::Tag, to_sym: :faketag) } + let(:fake_all_bottle_tag) { instance_double(Utils::Bottles::Tag, to_sym: :all) } let(:fake_bottle) do - instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url) + instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url, + tag: fake_bottle_tag) + end + let(:fake_all_bottle) do + instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url, + tag: fake_all_bottle_tag) end let(:fake_result_invalid_json) { instance_double(SystemCommand::Result, stdout: "\"invalid JSON") } let(:fake_result_json_resp) do @@ -143,6 +153,19 @@ RSpec.describe Homebrew::Attestation do described_class::HOMEBREW_CORE_REPO end.to raise_error(described_class::InvalidAttestationError) end + + it "checks subject prefix when the bottle is an :all bottle" do + expect(GitHub::API).to receive(:credentials) + .and_return(fake_gh_creds) + + expect(described_class).to receive(:system_command!) + .with(fake_gh, args: ["attestation", "verify", cached_download, "--repo", + described_class::HOMEBREW_CORE_REPO, "--format", "json"], + env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds]) + .and_return(fake_result_json_resp) + + described_class.check_attestation fake_all_bottle, described_class::HOMEBREW_CORE_REPO + end end describe "::check_core_attestation" do