Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attestation: redact secret in environment #17302

Merged
merged 1 commit into from
May 14, 2024
Merged

attestation: redact secret in environment #17302

merged 1 commit into from
May 14, 2024
+85 −66

Conversation

woodruffw
Copy link
Member

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

Fixes #17300.

h/t @Bo98 for pointing out the system_command! API's pre-existing ability to do this -- I couldn't use the ENV.sensitive? functionality because that doesn't handle the env: kwarg, but passing it via secrets suffices 🙂

Example induced failure, showing the redacted secret:

$ HOMEBREW_GITHUB_API_TOKEN=lololol brew verify gh
==> Downloading https://ghcr.io/v2/homebrew/core/gh/blobs/sha256:a9b943de9c581a597
Already downloaded: /Users/william/Library/Caches/Homebrew/downloads/1d47281ddb66d5bfb053e1f74cff84446c6626f87d7536b93b5c7dbc5555f073--gh--2.49.2.arm64_sonoma.bottle.tar.gz

Error: failed to fetch attestations from Homebrew/homebrew-core: HTTP 401: Bad credentials (https://api.github.com/repos/Homebrew/homebrew-core/attestations/sha256:a9b943de9c581a597c47e23c5037bb7b609079e835b1553c5a653abf439254f9?per_page=30)

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:a9b943de9c581a597c47e23c5037bb7b609079e835b1553c5a653abf439254f9?per_page=30)
Error: Failed to verify gh--2.49.2.arm64_sonoma.bottle.tar.gz with tag arm64_sonoma due to error:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** /opt/homebrew/bin/gh attestation verify /Users/william/Library/Caches/Homebrew/downloads/1d47281ddb66d5bfb053e1f74cff84446c6626f87d7536b93b5c7dbc5555f073--gh--2.49.2.arm64_sonoma.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 1. Here's the output:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:a9b943de9c581a597c47e23c5037bb7b609079e835b1553c5a653abf439254f9?per_page=30)

(The error message is now much more verbose as well.)

@woodruffw
attestation: redact secret in environment
f78a888 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw self-assigned this May 14, 2024
Bo98
Bo98 approved these changes May 14, 2024
View reviewed changes
Copy link
Member

@Bo98 Bo98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

colindean
colindean approved these changes May 14, 2024
View reviewed changes
Copy link
Member

@colindean colindean left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

p-linnane
p-linnane approved these changes May 14, 2024
View reviewed changes
Copy link
Member

@p-linnane p-linnane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

@p-linnane p-linnane merged commit 1f603d3 into master May 14, 2024
25 checks passed
@p-linnane p-linnane deleted the ww/redact-env branch May 14, 2024 21:01
@MikeMcQuaid
Copy link
Member

Thanks @woodruffw!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colindean colindean colindean approved these changes

@Bo98 Bo98 Bo98 approved these changes

@p-linnane p-linnane p-linnane approved these changes

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Attestation failure message emits secret
5 participants
@woodruffw @MikeMcQuaid @colindean @Bo98 @p-linnane