admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #17190 from trail-of-forks/remove-cert-identity

Browse Source 
Remove the signing workflow for backfill attestation checks
This commit is contained in:
Mike McQuaid 2024-04-30 16:13:41 +01:00 committed by GitHub
commit fe4392dad5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Library/Homebrew/attestation.rb
View File

@ -15,8 +15,6 @@ module Homebrew
# @api private # @api private
BACKFILL_REPO = "trailofbits/homebrew-brew-verify" BACKFILL_REPO = "trailofbits/homebrew-brew-verify"
# @api private
BACKFILL_REPO_CI_URI = "https://github.com/trailofbits/homebrew-brew-verify/.github/workflows/backfill_signatures.yml@refs/heads/main"
# No backfill attestations after this date are considered valid. # No backfill attestations after this date are considered valid.
# #
@ -121,7 +119,15 @@ module Homebrew
url_sha256 = Digest::SHA256.hexdigest(bottle.url) url_sha256 = Digest::SHA256.hexdigest(bottle.url)
subject = "#{url_sha256}--#{bottle.filename}" subject = "#{url_sha256}--#{bottle.filename}"
backfill_attestation = check_attestation bottle, BACKFILL_REPO, BACKFILL_REPO_CI_URI, subject # We don't pass in a signing workflow for backfill signatures because
# some backfilled bottle signatures were signed from the 'backfill'
# branch, and others from 'main' of trailofbits/homebrew-brew-verify
# so the signing workflow is slightly different which causes some bottles to incorrectly
# fail when checking their attestation. This shouldn't meaningfully affect security
# because if somehow someone could generate false backfill attestations
# from a different workflow we will still catch it because the
# attestation would have been generated after our cutoff date.
backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject
timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps", timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps",
0, "timestamp") 0, "timestamp")

6
Library/Homebrew/test/attestation_spec.rb
View File

@ -124,8 +124,7 @@ RSpec.describe Homebrew::Attestation do
expect(Utils).to receive(:safe_popen_read) expect(Utils).to receive(:safe_popen_read)
.with(fake_gh, "attestation", "verify", cached_download, "--repo", .with(fake_gh, "attestation", "verify", cached_download, "--repo",
described_class::BACKFILL_REPO, "--format", "json", "--cert-identity", described_class::BACKFILL_REPO, "--format", "json")
described_class::BACKFILL_REPO_CI_URI)
.and_return(fake_json_resp_backfill) .and_return(fake_json_resp_backfill)
described_class.check_core_attestation fake_bottle described_class.check_core_attestation fake_bottle
@ -141,8 +140,7 @@ RSpec.describe Homebrew::Attestation do
expect(Utils).to receive(:safe_popen_read) expect(Utils).to receive(:safe_popen_read)
.with(fake_gh, "attestation", "verify", cached_download, "--repo", .with(fake_gh, "attestation", "verify", cached_download, "--repo",
described_class::BACKFILL_REPO, "--format", "json", "--cert-identity", described_class::BACKFILL_REPO, "--format", "json")
described_class::BACKFILL_REPO_CI_URI)
.and_return(fake_json_resp_too_new) .and_return(fake_json_resp_too_new)
expect do expect do