Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

formula_installer: verify attestations at bottle fetch time #18562

Merged
merged 1 commit into from
Oct 14, 2024
Merged

formula_installer: verify attestations at bottle fetch time #18562

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 31 additions & 19 deletions Library/Homebrew/formula_installer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1306,43 +1306,33 @@

oh1 "Fetching #{Formatter.identifier(formula.full_name)}".strip

if pour_bottle?(output_warning: true)
downloadable_object = downloadable
check_attestation = if pour_bottle?(output_warning: true)
fetch_bottle_tab

!downloadable_object.cached_download.exist?
else
@formula = Homebrew::API::Formula.source_download(formula) if formula.loaded_from_api?

formula.fetch_patches
formula.resources.each(&:fetch)
end
downloadable.fetch

self.class.fetched << formula
end

sig { returns(Downloadable) }
def downloadable
if (bottle_path = formula.local_bottle_path)
Resource::Local.new(bottle_path)
elsif pour_bottle?
T.must(formula.bottle)
else
T.must(formula.resource)
false
end
end
downloadable_object.fetch

sig { void }
def pour
# We skip `gh` to avoid a bootstrapping cycle, in the off-chance a user attempts
# to explicitly `brew install gh` without already having a version for bootstrapping.
# We also skip bottle installs from local bottle paths, as these are done in CI
# as part of the build lifecycle before attestations are produced.
if Homebrew::Attestation.enabled? &&
if check_attestation &&
Homebrew::Attestation.enabled? &&
formula.tap&.core_tap? &&
formula.name != "gh" &&
formula.local_bottle_path.blank?
ohai "Verifying attestation for #{formula.name}"
begin
Homebrew::Attestation.check_core_attestation T.must(formula.bottle)
Homebrew::Attestation.check_core_attestation T.cast(downloadable_object, Bottle)

Check warning on line 1335 in Library/Homebrew/formula_installer.rb

View check run for this annotation

Codecov / codecov/patch

Library/Homebrew/formula_installer.rb#L1335 

Added line #L1335 was not covered by tests
rescue Homebrew::Attestation::GhIncompatible
# A small but significant number of users have developer mode enabled
# but *also* haven't upgraded in a long time, meaning that their `gh`
Expand Down Expand Up @@ -1399,6 +1389,28 @@
end
end

self.class.fetched << formula
rescue CannotInstallFormulaError
if (cached_download = downloadable_object&.cached_download)&.exist?
cached_download.unlink
end

raise

Check warning on line 1398 in Library/Homebrew/formula_installer.rb

View check run for this annotation

Codecov / codecov/patch

Library/Homebrew/formula_installer.rb#L1398 

Added line #L1398 was not covered by tests
end

sig { returns(Downloadable) }
def downloadable
if (bottle_path = formula.local_bottle_path)
Resource::Local.new(bottle_path)
elsif pour_bottle?
T.must(formula.bottle)
else
T.must(formula.resource)
end
end

sig { void }
def pour
HOMEBREW_CELLAR.cd do
downloadable.downloader.stage
end
Expand Down
Loading