Closed josephsweeney closed 2 weeks ago
Just tagging @woodruffw so he can chime in if need be.
Thanks @josephsweeney!
To summarize: this does not remove the backfill verification check, but instead removes an (incorrect) overly strict scope on which refs
are considered valid signing identities for backfilled signatures. This should not affect the backfill's security at all, since the cutoff date remains unchanged.
Thanks @josephsweeney and others for review!
brew style
with your changes locally?brew typecheck
with your changes locally?brew tests
with your changes locally?Some backfilled bottle signatures were signed from different branches of trailofbits/homebrew-brew-verify, so the signing workflow is slightly different which causes some bottles to incorrectly fail when checking their attestation (
apr
for current example of a broken bottle). The simplest way to solve this is just removing the backfill repocert-identity
check and just rely on the repository and attestation date falling before our cutoff. This shouldn't meaningfully affect security because if somehow someone could generate false backfill attestations from a different workflow (the only case this protects against), we will still catch it because the attestation would have been generated after our cutoff date.