admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity
46,483 Commits 15 Branches 471 Tags
Commit Graph

63 Commits

Author SHA1 Message Date
Joseph Sweeney
65a90582b4 Remove a flag for backfill attestation checks 
Some backfilled bottle signatures were signed from a branch, and others
from main, so the signing workflow is slightly different which causes
some bottles to incorrectly fail when checking their attestation (apr
for example). The simplest way to solve this is just removing the
backfill repo `cert-identity` check and just rely on the repository and
attestation date falling before our cutoff. This shouldn't meaningfully
affect security because if somehow someone could generate false backfill
attestations from a different workflow (the only case this protects
against), we will still catch it because the attestation would have been
generated after our cutoff date.
 2024-04-30 09:52:04 -04:00
William Woodruff
faa00c8c79
handle backfilled attestation subjects correctly 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-11 16:44:57 -04:00
William Woodruff
e2b5d93198
more attestation coverage 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-11 13:39:13 -04:00
William Woodruff
990b7d77d6
attestation: fix a missing arg, add initial specs 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-10 17:57:01 -04:00
William Woodruff
6e10001d49
attestation: strict typechecking 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 11:03:41 -04:00
William Woodruff
2efef36313
move InvalidAttestationError into Attestation mod 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 10:52:48 -04:00
William Woodruff
5ec3dab141
attestation: document BACKFILL_CUTOFF better 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 10:50:49 -04:00
William Woodruff
a3a5f78de3
attestation: document gh_executable bootstrap cycle 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 10:48:17 -04:00
William Woodruff
e52c253832
attestation: simplify gh bootstrapping 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 10:45:44 -04:00
William Woodruff
ca6db49859
Apply suggestions from code review 
Co-authored-by: Mike McQuaid <mike@mikemcquaid.com>
 2024-04-09 10:18:08 -04:00
William Woodruff
1881a1f4bc
attestation: more docs 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-08 16:22:57 -04:00
William Woodruff
578c2bc9da
rubocop fixes 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-08 16:21:31 -04:00
William Woodruff
48e39bb51d
attestation: add initial attestation helpers 
Adds the basic attestation verification APIs, as well
as a pre-pour check against `HOMEBREW_VERIFY_ATTESTATIONS`
that verifies the attestation (or backfill as necessary)
for bottles from homebrew-core.

Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-08 16:18:15 -04:00