Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attestation: improve error message when gh is too old #17727

Merged
merged 2 commits into from
Jul 15, 2024
Merged

attestation: improve error message when gh is too old #17727

merged 2 commits into from
Jul 15, 2024

Conversation

nandahkrishna
Copy link
Member

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

Currently, when gh is too old to verify attestations, the error message is uninterpretable:

==> Installing frizbee dependency: go
==> Downloading https://ghcr.io/v2/homebrew/core/go/manifests/1.22.5
==> Verifying attestation for go
Error: The bottle for go has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** /opt/homebrew/bin/gh attestation verify /Users/REDACTED/Library/Caches/Homebrew/downloads/3f2258381d80802127c7c7d253acee16b65864703253acd14e6e63e6194b0b62--go--1.22.5.arm64_sonoma.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 1. Here's the output:
Failed to verify the artifact: failed to fetch attestations for subject: sha256:555bf0e72c91ff434d4ab9e69c001cd998f6ce23fdddcac7013f94343d0defda

This PR aims to improve the messaging, like below:

➜  homebrew git:(attestation-gh-error) ✗ HOMEBREW_NO_INSTALL_FROM_API=1 brew install -sdv frizbee
[TRUNCATED]
==> Installing dependencies for frizbee: go
==> Installing frizbee dependency: go
==> Downloading https://ghcr.io/v2/homebrew/core/go/manifests/1.22.5
==> Verifying attestation for go
Error: `gh` is too old, you must run `brew upgrade gh` to continue.

@nandahkrishna nandahkrishna force-pushed the attestation-gh-error branch 3 times, most recently from 9177b46 to c82ed9e Compare July 14, 2024 17:00
@nandahkrishna nandahkrishna force-pushed the attestation-gh-error branch 2 times, most recently from 0b6c2ac to fc9f69c Compare July 14, 2024 17:24
MikeMcQuaid
MikeMcQuaid reviewed Jul 14, 2024
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One note then good to 🚢!

Library/Homebrew/attestation.rb Outdated Show resolved Hide resolved
@nandahkrishna
Copy link
Member Author

I've ignored bootstrapping the latest gh or trying to upgrade it because it's a little too complicated for what it's worth. Now this just raises an error if gh is too old, and asks the user to upgrade it.

@woodruffw woodruffw assigned woodruffw and unassigned woodruffw Jul 14, 2024
@woodruffw woodruffw merged commit 795d032 into master Jul 15, 2024
24 checks passed
@woodruffw woodruffw deleted the attestation-gh-error branch July 15, 2024 00:08
@woodruffw woodruffw mentioned this pull request Aug 1, 2024
Open
4 tasks
mmrwoods referenced this pull request Aug 1, 2024
@MikeMcQuaid
Widen attestation verification rollout
b8ff4b3 
Take 2 of #17692 but with:

- provide and document `HOMEBREW_NO_VERIFY_ATTESTATIONS`
- don't try to run unless there's GitHub credentials
- don't try to run unless `gh` is installed
- don't try to run in CI

While we're here:
- split out a `Homebrew::EnvConfig.devcmdrun?` helper method
- add some missing `Homebrew::EnvConfig.github_api_token` presence
  checks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZhongRuoyu ZhongRuoyu ZhongRuoyu left review comments

@woodruffw woodruffw woodruffw approved these changes

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nandahkrishna @MikeMcQuaid @woodruffw @ZhongRuoyu