Module: Utils::Attestation Private

Extended by:
Output::Mixin
Defined in:
utils/attestation.rb

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Class Method Summary collapse

Methods included from Output::Mixin

odebug, odeprecated, odie, odisabled, ofail, oh1, oh1_title, ohai, ohai_title, onoe, opoo, opoo_outside_github_actions, pretty_duration, pretty_installed, pretty_outdated, pretty_uninstalled

Class Method Details

.check_attestation(bottle, quiet: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

  • bottle (Bottle)
  • quiet (Boolean) (defaults to: false) 


13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'utils/attestation.rb', line 13

def self.check_attestation(bottle, quiet: false)
  ohai "Verifying attestation for #{bottle.name}" unless quiet
  begin
    Homebrew::Attestation.check_core_attestation bottle
  rescue Homebrew::Attestation::GhIncompatible
    # A small but significant number of users have developer mode enabled
    # but *also* haven't upgraded in a long time, meaning that their `gh`
    # version is too old to perform attestations.
    raise CannotInstallFormulaError, <<~EOS
      The bottle for #{bottle.name} could not be verified.

      This typically indicates an outdated or incompatible `gh` CLI.

      Please confirm that you're running the latest version of `gh`
      by performing an upgrade before retrying:

        brew update
        brew upgrade gh
    EOS
  rescue Homebrew::Attestation::GhAuthInvalid
    # Only raise an error if we explicitly opted-in to verification.
    raise CannotInstallFormulaError, <<~EOS if Homebrew::EnvConfig.verify_attestations?
      The bottle for #{bottle.name} could not be verified.

      This typically indicates an invalid GitHub API token.

      If you have `$HOMEBREW_GITHUB_API_TOKEN` set, check it is correct
      or unset it and instead run:

        gh auth login
    EOS

    # If we didn't explicitly opt-in, then quietly opt-out in the case of invalid credentials.
    # Based on user reports, a significant number of users are running with stale tokens.
    ENV["HOMEBREW_NO_VERIFY_ATTESTATIONS"] = "1"
  rescue Homebrew::Attestation::GhAuthNeeded
    raise CannotInstallFormulaError, <<~EOS
      The bottle for #{bottle.name} could not be verified.

      This typically indicates a missing GitHub API token, which you
      can resolve either by setting `$HOMEBREW_GITHUB_API_TOKEN` or
      by running:

        gh auth login
    EOS
  rescue Homebrew::Attestation::MissingAttestationError, Homebrew::Attestation::InvalidAttestationError => e
    raise CannotInstallFormulaError, <<~EOS
      The bottle for #{bottle.name} has an invalid build provenance attestation.

      This may indicate that the bottle was not produced by the expected
      tap, or was maliciously inserted into the expected tap's bottle
      storage.

      Additional context:

      #{e}
    EOS
  end
end