Comments (17)
How difficult would it be to support verifying attestations natively in Ruby?
I'd prefer to avoid needed gh
to verify attestations, since that presents challenges to verifying the gh
attestation.
from brew.
Thanks @woodruffw!
[ ] Add a
BREW_VERIFY_ATTESTATIONS
environment config, which will default tofalse
during the beta period.
Should probably default to an empty/unset variable being false rather than handling false
, just FYI.
- When
BREW_VERIFY_ATTESTATIONS=true
,brew install
will additionally perform verification of each bottle's attestation as it gets downloaded (or reused from cache).
Should probably be =1
or really set to any, non-blank value.
- Regardless of
BREW_VERIFY_ATTESTATIONS
, the separatebrew verify [formulae ...]
command will allow users to explicitly verify bottle(s) by their formulae names.
👍🏻
- How long should the beta last?
I think it's less about the time and more about just gradual ramp-up based on bugs/issues/performance regressions seen.
Generally these things go through:
- require ENV variable
- enabled by default for HOMEBREW_DEVELOPERs
- enabled by default in CI
- optional: enabled by default for HOMEBREW_DEVCMD_RUN
- enabled on
master
, not yet in a stable tag - in a stable tag
- Attestation verification currently requires the
gh
CLI, meaning thatBREW_VERIFY_ATTESTATIONS=true
will require a bootstrapping phase withbrew install gh
or similar to start. Should this be hash-pinned or similar?
I think this is fine while the ENV variable is opt-in or for the brew verify
command. I agree that making this a hard requirement for all of brew install
invocations is something we probably need to resolve before this can go out to everyone as default behaviour (and probably even go to homebrew developers/CI).
Once enabled by default, this will enable build provenance (modulo the backfill) verification for every bottle in
homebrew-core
, changing Homebrew's bottle integrity guarantee from "it matches a known digest" to "it matches a known digest and it was produced on Homebrew's own CI/CD."
Sounds good, assuming the performance overhead here is minimal.
from brew.
https://github.com/segiddins/sigstore-cosign-verify should almost be usable!
from brew.
The closest implementation is probably the one that the RubyGems folks have been working on (they have similar native-Ruby-only requirements), but IIUC they're still in active development as well and probably aren't ready for downstream dependencies yet.
This might be an interesting watch. We don't necessarily have to move quickly here. If this route looks dead later in the year we can re-evaluate options but it seems worthwhile watching that space as a potential way forward removing the env-gate.
If RubyGems needs/likes any input/contributions from me then I'm happy to do that too.
from brew.
Makes sense. To align this and @carlocab's comment: is the thought that users would have to explicitly
brew install gh
first, only after whichBREW_VERIFY_ATTESTATIONS=1 brew install ...
would be effective?
I think it'd be OK for it to install gh
itself (we have a one-liner for such things), it's more just that it can't really be default until it's entirely in Ruby.
from brew.
even if only as a dev-cmd
I'd be ok as a dev-cmd
if we make it clear in the command description too that it's under development. We can promote it to cmd
when we're ready to remove the env-gate.
from brew.
seems to work well, but verifying attestations seems a bit slow:
Yeah, I think there's some low hanging fruit that I can optimize here: gh attestation verify
is probably pulling more things down the pipe than it strictly needs to, and there may be optimizations that it can further do internally. I'll do some profiling.
from brew.
See also #16543 for the prior phase of this 🙂
from brew.
I'm OK relying on gh
as an opt-in env for brew install
(and keeping brew verify
in a separate tap) initially.
I'm less OK with doing so unconditionally as we've generally been moving away from arbitrary external tools (beyond guaranteed system-provided tools on macOS). See past efforts of: moving from patchelf
to patchelf.rb
, readelf
to rbelftools
, the current PR for ldd
and the existence of Portable Ruby. The chicken egg problem of verifying gh
itself makes this more awkward and having to issue a new brew
release every time gh
is updated sounds annoying. A mini bundled gh
(like Portable Ruby) used exclusively for this may however be possible if necessary.
But a lot of this can be "questions for later". I was going to point out gh-attestation
being closed source but I think that got fixed in yesterday's gh
release? So seems like the picture is already changing. How it actually works is now clearer and I'll take a look over the code to give myself a more informed idea of what's actually involved here rather than guessing what the black box does.
from brew.
How difficult would it be to support verifying attestations natively in Ruby?
I'd prefer to avoid needed
gh
to verify attestations, since that presents challenges to verifying thegh
attestation.
I strongly agree, although unfortunately the answer to "how difficult" is currently "very difficult" -- verifying an attestation here requires a full Sigstore verifier implementation, and there currently isn't a suitable native Ruby one that's ready for use here.
The closest implementation is probably the one that the RubyGems folks have been working on (they have similar native-Ruby-only requirements), but IIUC they're still in active development as well and probably aren't ready for downstream dependencies yet.
Should probably default to an empty/unset variable being false rather than handling false, just FYI.
Should probably be =1 or really set to any, non-blank value.
Makes sense! I was using shorthand here; I figure this would go in Homebrew::EnvConfig
, which would abstract all the 1
, bool, etc. variants 🙂
I'm less OK with doing so unconditionally as we've generally been moving away from arbitrary external tools (beyond guaranteed system-provided tools on macOS). See past efforts of: moving from patchelf to patchelf.rb, readelf to rbelftools, the current PR for ldd and the existence of Portable Ruby. The chicken egg problem of verifying gh itself makes this more awkward and having to issue a new brew release every time gh is updated sounds annoying. A mini bundled gh (like Portable Ruby) used exclusively for this may however be possible if necessary.
Makes sense. To align this and @carlocab's comment: is the thought that users would have to explicitly brew install gh
first, only after which BREW_VERIFY_ATTESTATIONS=1 brew install ...
would be effective?
If so, that makes sense to me (in the sense that it does an end-run around the bootstrapping problem) and IMO is an acceptable solution until we can vendor-in a pure Ruby attestation verifier.
My proposal with that:
BREW_VERIFY_ATTESTATIONS=0 brew install
: current, default behaviorBREW_VERIFY_ATTESTATIONS=1 brew install
with nogh
installed: failureBREW_VERIFY_ATTESTATIONS=1 brew install
withgh
installed: performs attestation verification
from brew.
Also: re: brew verify
: keeping it in an external tap is OK by me if that's the consensus, but I'd prefer to upstream it (even if only as a dev-cmd) if possible: my reasoning is that brew verify
will share almost exactly the same underlying implementation as the feature-flagged verification under brew install
, so IMO it makes sense to de-dupe the code 🙂
from brew.
If RubyGems needs/likes any input/contributions from me then I'm happy to do that too.
Paging @segiddins 🙂
I'd be ok as a dev-cmd if we make it clear in the command description too that it's under development. We can promote it to cmd when we're ready to remove the env-gate.
Sounds good! We'll make that explicit.
from brew.
I've opened #17049 with the first bits of this: that PR adds HOMEBREW_VERIFY_ATTESTATIONS
and directs brew update
to bootstrap gh
if HOMEBREW_VERIFY_ATTESTATIONS
is set. Once set, brew install
verifies the attestations for any bottles being fetched from homebrew-core
.
from brew.
#17049 seems to work well, but verifying attestations seems a bit slow:
❯ brew uninstall hello
Uninstalling /opt/homebrew/Cellar/hello/2.12.1... (11 files, 177KB)
❯ time (HOMEBREW_VERIFY_ATTESTATIONS=1 brew install hello &>/dev/null)
( HOMEBREW_VERIFY_ATTESTATIONS=1 brew install hello &> /dev/null; ) 0.85s user 0.27s system 37% cpu 2.982 total
❯ brew uninstall hello
Uninstalling /opt/homebrew/Cellar/hello/2.12.1... (11 files, 177KB)
❯ time (HOMEBREW_VERIFY_ATTESTATIONS= brew install hello &>/dev/null)
( HOMEBREW_VERIFY_ATTESTATIONS= brew install hello &> /dev/null; ) 0.62s user 0.19s system 79% cpu 1.018 total
Note: bottle pre-fetched so download time is not included
from brew.
Related Issues (20)
- Allow macos 11 to be used HOT 1
- Allow formulae to set an env for their completion generation HOT 4
- Show disk space in info command HOT 3
- Fine-grained PATs do not work when used as $HOMEBREW_GITHUB_API_TOKEN HOT 3
- `brew upgrade -g` sometime will install old version app HOT 3
- `brew upgrade -g` sometime will install old version app
- @PizzaShift @ligi Hello.
- Support GitHub App installation access tokens HOT 2
- Command "brew update" shows "/dev/stdin: No such file or directory - /tmp/sh-thd-2853475760 (deleted) (Errno::ENOENT)" HOT 8
- How should we store installed cask information? HOT 18
- `brew bump --open-pr` fails to fetch repology data HOT 5
- Add a RuboCop rule for sorting EnvConfig keys
- Make `update <formula>` actually `upgrade formula` HOT 2
- `brew info` should always print whether formula installed HOT 5
- `cask upgrade` will be downloaded and installed repeatedly HOT 10
- `brew log` regression after port to `abstract_command` HOT 1
- option to install package to home directory or a custom directory HOT 1
- Running the macOS installer changes permissions on `~/.gitconfig` HOT 5
- Introduce additional versioning information for casks HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brew.