attestation: drop workflow check on core attestation

Signed-off-by: William Woodruff <[email protected]>
Homebrew · May 18, 2024 · 3319e99 · 3319e99
1 parent b8d844c
commit 3319e99
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 9 deletions.
diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb
@@ -13,8 +13,6 @@ module Attestation
 
     # @api private
     HOMEBREW_CORE_REPO = "Homebrew/homebrew-core"
-    # @api private
-    HOMEBREW_CORE_CI_URI = "https://github.com/Homebrew/homebrew-core/.github/workflows/publish-commit-bottles.yml@refs/heads/master"
 
     # @api private
     BACKFILL_REPO = "trailofbits/homebrew-brew-verify"
@@ -127,7 +125,18 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
     sig { params(bottle: Bottle).returns(T::Hash[T.untyped, T.untyped]) }
     def self.check_core_attestation(bottle)
       begin
-        attestation = check_attestation bottle, HOMEBREW_CORE_REPO, HOMEBREW_CORE_CI_URI
+        # Ideally, we would also constrain the signing workflow here, but homebrew-core
+        # currently uses multiple signing workflows to produce bottles
+        # (e.g. `dispatch-build-bottle.yml`, `dispatch-rebottle.yml`, etc.).
+        #
+        # We could check each of these (1) explicitly (slow), (2) by generating a pattern
+        # to pass into `--cert-identity-regex` (requires us to build up a Go-style regex),
+        # or (3) by checking the resulting JSON for the expected signing workflow.
+        #
+        # Long term, we should probably either do (3) *or* switch to a single reusable
+        # workflow, which would then be our sole identity. However, GitHub's
+        # attestations currently do not include reusable workflow state by default.
+        attestation = check_attestation bottle, HOMEBREW_CORE_REPO
         return attestation
       rescue InvalidAttestationError
         odebug "falling back on backfilled attestation for #{bottle}"

diff --git a/Library/Homebrew/test/attestation_spec.rb b/Library/Homebrew/test/attestation_spec.rb
@@ -157,8 +157,7 @@
     it "calls gh with args for homebrew-core" do
       expect(described_class).to receive(:system_command!)
         .with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
-                              described_class::HOMEBREW_CORE_REPO, "--format", "json", "--cert-identity",
-                              described_class::HOMEBREW_CORE_CI_URI],
+                              described_class::HOMEBREW_CORE_REPO, "--format", "json"],
               env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
         .and_return(fake_result_json_resp)
 
@@ -168,8 +167,7 @@
     it "calls gh with args for backfill when homebrew-core fails" do
       expect(described_class).to receive(:system_command!)
         .with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
-                              described_class::HOMEBREW_CORE_REPO, "--format", "json", "--cert-identity",
-                              described_class::HOMEBREW_CORE_CI_URI],
+                              described_class::HOMEBREW_CORE_REPO, "--format", "json"],
               env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
         .once
         .and_raise(described_class::InvalidAttestationError)
@@ -186,8 +184,7 @@
     it "raises when the backfilled attestation is too new" do
       expect(described_class).to receive(:system_command!)
         .with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
-                              described_class::HOMEBREW_CORE_REPO, "--format", "json", "--cert-identity",
-                              described_class::HOMEBREW_CORE_CI_URI],
+                              described_class::HOMEBREW_CORE_REPO, "--format", "json"],
               env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
         .once
         .and_raise(described_class::InvalidAttestationError)