admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity
40,516 Commits 15 Branches 471 Tags
Commit Graph

25 Commits

Author SHA1 Message Date
Mike McQuaid
c13700af00
Use repository consistently instead of repo 
The documentation linting job doesn't like `repo` so let's fix this
globally rather than naming it differently in documentation and code.
 2024-06-10 09:31:53 +01:00
William Woodruff
e0179350fe
attestation: rename loop var to please sorbet 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-06-06 11:41:21 -04:00
William Woodruff
8d0e6eafc3
attestation: handle :all bottles 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-06-06 11:23:03 -04:00
William Woodruff
3319e9956d
attestation: drop workflow check on core attestation 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-05-18 10:04:53 -04:00
William Woodruff
f78a8882d9
attestation: redact secret in environment 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-05-14 14:32:23 -04:00
Mike McQuaid
3d31594e39
Merge pull request #17220 from woodruffw-forks/ww/refine-gh-auth 
attestations: improve authentication techniques
 2024-05-06 08:38:07 +01:00
William Woodruff
18a8b12f7a
attestations: improve authentication techniques 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-05-03 12:37:01 -04:00
Markus Reiter
caf87c0336
Warn about undocumented non-private APIs. 2024-05-01 11:35:20 +02:00
Joseph Sweeney
3ccc6b2521 fixup comment 2024-04-30 10:52:36 -04:00
Joseph Sweeney
9fff688bbe Make comment more explicit 2024-04-30 10:51:11 -04:00
Joseph Sweeney
883c1e9907 Update attestation tests 2024-04-30 10:16:57 -04:00
Joseph Sweeney
0f5d19220c Add comment explaining lack of signing workflow 2024-04-30 10:10:43 -04:00
Joseph Sweeney
65a90582b4 Remove a flag for backfill attestation checks 
Some backfilled bottle signatures were signed from a branch, and others
from main, so the signing workflow is slightly different which causes
some bottles to incorrectly fail when checking their attestation (apr
for example). The simplest way to solve this is just removing the
backfill repo `cert-identity` check and just rely on the repository and
attestation date falling before our cutoff. This shouldn't meaningfully
affect security because if somehow someone could generate false backfill
attestations from a different workflow (the only case this protects
against), we will still catch it because the attestation would have been
generated after our cutoff date.
 2024-04-30 09:52:04 -04:00
William Woodruff
faa00c8c79
handle backfilled attestation subjects correctly 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-11 16:44:57 -04:00
William Woodruff
e2b5d93198
more attestation coverage 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-11 13:39:13 -04:00
William Woodruff
990b7d77d6
attestation: fix a missing arg, add initial specs 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-10 17:57:01 -04:00
William Woodruff
6e10001d49
attestation: strict typechecking 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 11:03:41 -04:00
William Woodruff
2efef36313
move InvalidAttestationError into Attestation mod 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 10:52:48 -04:00
William Woodruff
5ec3dab141
attestation: document BACKFILL_CUTOFF better 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 10:50:49 -04:00
William Woodruff
a3a5f78de3
attestation: document gh_executable bootstrap cycle 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 10:48:17 -04:00
William Woodruff
e52c253832
attestation: simplify gh bootstrapping 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-09 10:45:44 -04:00
William Woodruff
ca6db49859
Apply suggestions from code review 
Co-authored-by: Mike McQuaid <mike@mikemcquaid.com>
 2024-04-09 10:18:08 -04:00
William Woodruff
1881a1f4bc
attestation: more docs 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-08 16:22:57 -04:00
William Woodruff
578c2bc9da
rubocop fixes 
Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-08 16:21:31 -04:00
William Woodruff
48e39bb51d
attestation: add initial attestation helpers 
Adds the basic attestation verification APIs, as well
as a pre-pour check against `HOMEBREW_VERIFY_ATTESTATIONS`
that verifies the attestation (or backfill as necessary)
for bottles from homebrew-core.

Signed-off-by: William Woodruff <william@yossarian.net>
 2024-04-08 16:18:15 -04:00