Merge pull request #17438 from Homebrew/ww/fix-all-tag

attestation: handle `:all` bottles

Library/Homebrew/attestation.rb

@@ -103,8 +103,22 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
       # for all attestations that match the input's digest. We want to additionally
       # filter these down to just the attestation whose subject matches the bottle's name.
       subject = bottle.filename.to_s if subject.blank?
-      attestation = attestations.find do |a|
-        a.dig("verificationResult", "statement", "subject", 0, "name") == subject
+
+      attestation = if bottle.tag.to_sym == :all
+        # :all-tagged bottles are created by `brew bottle --merge`, and are not directly
+        # bound to their own filename (since they're created by deduplicating other filenames).
+        # To verify these, we parse each attestation subject and look for one with a matching
+        # formula (name, version), but not an exact tag match.
+        # This is sound insofar as the signature has already been verified. However,
+        # longer term, we should also directly attest to `:all`-tagged bottles.
+        attestations.find do |a|
+          actual_subject = a.dig("verificationResult", "statement", "subject", 0, "name")
+          actual_subject.start_with? "#{bottle.filename.name}--#{bottle.filename.version}"
+        end
+      else
+        attestations.find do |a|
+          a.dig("verificationResult", "statement", "subject", 0, "name") == subject
+        end
       end
 
       raise InvalidAttestationError, "no attestation matches subject" if attestation.blank?

Library/Homebrew/test/attestation_spec.rb

@@ -8,10 +8,20 @@
   let(:fake_error_status) { instance_double(Process::Status, exitstatus: 1, termsig: nil) }
   let(:fake_auth_status) { instance_double(Process::Status, exitstatus: 4, termsig: nil) }
   let(:cached_download) { "/fake/cached/download" }
-  let(:fake_bottle_filename) { instance_double(Bottle::Filename, to_s: "fakebottle--1.0.faketag.bottle.tar.gz") }
+  let(:fake_bottle_filename) do
+    instance_double(Bottle::Filename, name: "fakebottle", version: "1.0",
+   to_s: "fakebottle--1.0.faketag.bottle.tar.gz")
+  end
   let(:fake_bottle_url) { "https://example.com/#{fake_bottle_filename}" }
+  let(:fake_bottle_tag) { instance_double(Utils::Bottles::Tag, to_sym: :faketag) }
+  let(:fake_all_bottle_tag) { instance_double(Utils::Bottles::Tag, to_sym: :all) }
   let(:fake_bottle) do
-    instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url)
+    instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url,
+                    tag: fake_bottle_tag)
+  end
+  let(:fake_all_bottle) do
+    instance_double(Bottle, cached_download:, filename: fake_bottle_filename, url: fake_bottle_url,
+                    tag: fake_all_bottle_tag)
   end
   let(:fake_result_invalid_json) { instance_double(SystemCommand::Result, stdout: "\"invalid JSON") }
   let(:fake_result_json_resp) do
@@ -143,6 +153,19 @@
                                           described_class::HOMEBREW_CORE_REPO
       end.to raise_error(described_class::InvalidAttestationError)
     end
+
+    it "checks subject prefix when the bottle is an :all bottle" do
+      expect(GitHub::API).to receive(:credentials)
+        .and_return(fake_gh_creds)
+
+      expect(described_class).to receive(:system_command!)
+        .with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
+                              described_class::HOMEBREW_CORE_REPO, "--format", "json"],
+              env: { "GH_TOKEN" => fake_gh_creds }, secrets: [fake_gh_creds])
+        .and_return(fake_result_json_resp)
+
+      described_class.check_attestation fake_all_bottle, described_class::HOMEBREW_CORE_REPO
+    end
   end
 
   describe "::check_core_attestation" do