Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot verify ansible 11.1.0 attestation #200152

Closed
4 tasks done
nikaro opened this issue Dec 5, 2024 · 1 comment
Closed
4 tasks done

Cannot verify ansible 11.1.0 attestation #200152

nikaro opened this issue Dec 5, 2024 · 1 comment
Labels
bug Reproducible Homebrew/homebrew-core bug

Comments

@nikaro
Copy link
Contributor

nikaro commented Dec 5, 2024

brew gist-logs <formula> link OR brew config AND brew doctor output

~ > brew config ; brew doctor
HOMEBREW_VERSION: 4.4.9
ORIGIN: https://github.com/Homebrew/brew
HEAD: 2e780004c92f16a96036d3d43569c2924c4e54f5
Last commit: 2 days ago
Branch: stable
Core tap JSON: 05 Dec 07:01 UTC
Core cask tap JSON: 05 Dec 07:01 UTC
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: hx
HOMEBREW_MAKE_JOBS: 12
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.6 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/3.3.6/bin/ruby
CPU: dodeca-core 64-bit kabylake
Clang: 16.0.0 build 1600
Git: 2.47.1 => /usr/local/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 15.1.1-x86_64
CLT: 16.1.0.0.1.1729049160
Xcode: N/A
Your system is ready to brew.

Verification

  • My brew doctor output says Your system is ready to brew. and am still able to reproduce my issue.
  • I ran brew update and am still able to reproduce my issue.
  • I have resolved all warnings from brew doctor and that did not fix my problem.
  • I searched for recent similar issues at https://github.com/Homebrew/homebrew-core/issues?q=is%3Aissue and found no duplicates.

What were you trying to do (and why)?

Trying to update ansible package (to have an up-to-date package ^_^').

What happened (include all command output)?

Brew cannot verify the bottle attestation.

⏺ ~ > brew upgrade ansible
==> Upgrading 1 outdated package:
ansible 11.0.0 -> 11.1.0
==> Downloading https://ghcr.io/v2/homebrew/core/ansible/manifests/11.1.0
##################################################################################################################################################################################################################################### 100.0%
==> Fetching ansible
==> Downloading https://ghcr.io/v2/homebrew/core/ansible/blobs/sha256:9cad1f4cb9648b83738b09de1ec3e67d7c44d16fea056259df4f22278ad21dba
##################################################################################################################################################################################################################################### 100.0%
==> Verifying attestation for ansible
Warning: Failed to verify attestation. Retrying in 1s...
Warning: Failed to verify attestation. Retrying in 3s...
Warning: Failed to verify attestation. Retrying in 9s...
Warning: Failed to verify attestation. Retrying in 27s...
Warning: Failed to verify attestation. Retrying in 81s...
Error: The bottle for ansible has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

no attestation matches subject: ansible--11.1.0.sonoma.bottle.tar.gz

Despite its attestation existing: https://github.com/Homebrew/homebrew-core/attestations/3647054

If i manually verify the bottle, it is fine:

⏺ ~ > gh attestation verify --owner Homebrew ~/Downloads/bee4701d4c983428d8708728330fb1ec038c9b7d6e393340c4c45505ef046ace--ansible--11.1.0.sonoma.bottle.tar.gz 
Loaded digest sha256:9cad1f4cb9648b83738b09de1ec3e67d7c44d16fea056259df4f22278ad21dba for file:///Users/nicolas/Downloads/bee4701d4c983428d8708728330fb1ec038c9b7d6e393340c4c45505ef046ace--ansible--11.1.0.sonoma.bottle.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:9cad1f4cb9648b83738b09de1ec3e67d7c44d16fea056259df4f22278ad21dba was attested by:
REPO                    PREDICATE_TYPE                  WORKFLOW                                                      
Homebrew/homebrew-core  https://slsa.dev/provenance/v1  .github/workflows/publish-commit-bottles.yml@refs/heads/master

What did you expect to happen?

Update without error.

Step-by-step reproduction instructions (by running brew commands)

brew update ; brew upgrade ansible
@nikaro nikaro added the bug Reproducible Homebrew/homebrew-core bug label Dec 5, 2024
@SMillerDev
Copy link
Member

Duplicate of pinned #177384

@SMillerDev SMillerDev closed this as not planned Won't fix, can't repro, duplicate, stale Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Reproducible Homebrew/homebrew-core bug
Projects
None yet
Development

No branches or pull requests

2 participants