Merge pull request #17190 from trail-of-forks/remove-cert-identity

Remove the signing workflow for backfill attestation checks
2024-04-30 16:13:41 +01:00 · 2024-04-30 16:13:41 +01:00 · fe4392dad5
commit fe4392dad5
parent d8693edc1b 3ccc6b2521
2 changed files with 11 additions and 7 deletions
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@ -15,8 +15,6 @@ module Homebrew

    # @api private
    BACKFILL_REPO = "trailofbits/homebrew-brew-verify"
-    # @api private
-    BACKFILL_REPO_CI_URI = "https://github.com/trailofbits/homebrew-brew-verify/.github/workflows/backfill_signatures.yml@refs/heads/main"

    # No backfill attestations after this date are considered valid.
    #
@ -121,7 +119,15 @@ module Homebrew
        url_sha256 = Digest::SHA256.hexdigest(bottle.url)
        subject = "#{url_sha256}--#{bottle.filename}"

-        backfill_attestation = check_attestation bottle, BACKFILL_REPO, BACKFILL_REPO_CI_URI, subject
+        # We don't pass in a signing workflow for backfill signatures because
+        # some backfilled bottle signatures were signed from the 'backfill'
+        # branch, and others from 'main' of trailofbits/homebrew-brew-verify
+        # so the signing workflow is slightly different which causes some bottles to incorrectly
+        # fail when checking their attestation. This shouldn't meaningfully affect security
+        # because if somehow someone could generate false backfill attestations
+        # from a different workflow we will still catch it because the
+        # attestation would have been generated after our cutoff date.
+        backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject
        timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps",
                                             0, "timestamp")

--- a/Library/Homebrew/test/attestation_spec.rb
+++ b/Library/Homebrew/test/attestation_spec.rb
@ -124,8 +124,7 @@ RSpec.describe Homebrew::Attestation do

      expect(Utils).to receive(:safe_popen_read)
        .with(fake_gh, "attestation", "verify", cached_download, "--repo",
-              described_class::BACKFILL_REPO, "--format", "json", "--cert-identity",
-              described_class::BACKFILL_REPO_CI_URI)
+              described_class::BACKFILL_REPO, "--format", "json")
        .and_return(fake_json_resp_backfill)

      described_class.check_core_attestation fake_bottle
@ -141,8 +140,7 @@ RSpec.describe Homebrew::Attestation do

      expect(Utils).to receive(:safe_popen_read)
        .with(fake_gh, "attestation", "verify", cached_download, "--repo",
-              described_class::BACKFILL_REPO, "--format", "json", "--cert-identity",
-              described_class::BACKFILL_REPO_CI_URI)
+              described_class::BACKFILL_REPO, "--format", "json")
        .and_return(fake_json_resp_too_new)

      expect do