Attestation failure message emits secret

[colindean]

brew doctor output

Warning: Some installed formulae are deprecated or disabled.
You should find replacements for the following formulae:
  openssl@1.1

Warning: Unbrewed dylibs were found in /usr/local/lib.
If you didn't put them there on purpose they could cause problems when
building Homebrew formulae and may need to be deleted.

Unexpected dylibs:
  /usr/local/lib/libMsgCom.dylib
  /usr/local/lib/libSysCtlCom.dylib
  /usr/local/lib/libwep_airdrop.dylib
  /usr/local/lib/libwep_burn.dylib
  /usr/local/lib/libwep_cbcarbon.dylib
  /usr/local/lib/libwep_cbcocoa.dylib
  /usr/local/lib/libwep_chrome.dylib
  /usr/local/lib/libwep_dutil.dylib
  /usr/local/lib/libwep_ff.dylib
  /usr/local/lib/libwep_icloud.dylib
  /usr/local/lib/libwep_mail.dylib
  /usr/local/lib/libwep_post.dylib
  /usr/local/lib/libwep_printer.dylib
  /usr/local/lib/libwep_screen.dylib

Warning: Found Ruby file outside tgt/brewhouse tap formula directory.
(/opt/homebrew/Library/Taps/tgt/homebrew-brewhouse/Formula):
  /opt/homebrew/Library/Taps/tgt/homebrew-brewhouse/ghe_download_strategy.rb

Found Ruby file outside go-vela/vela tap formula directory.
(/opt/homebrew/Library/Taps/go-vela/homebrew-vela/Formula):
  /opt/homebrew/Library/Taps/go-vela/homebrew-vela/template.rb

I've got this whittled down from a lot more stuff in here before I pushed submit. openssl@1.1 is still used by several formulae:

$ brew uses --installed openssl@1.1
git-filter-repo      libcroco             liblqr               peru                 proselint            sox                  sshtrix              wemux

And the other things are particular to my enterprise environment.

Verification

• My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update twice and am still able to reproduce my issue.
• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

HOMEBREW_VERSION: 4.3.0-15-gf520383
ORIGIN: https://github.com/homebrew/brew.git
HEAD: f520383897b3c3e36cf6a08c82a0d27b5cef48ab
Last commit: 29 minutes ago
Core tap HEAD: 1e50fab716a8726ad47782cf1e6b6f8d4d621547
Core tap last commit: 51 minutes ago
Core tap JSON: 14 May 15:59 UTC
Core cask tap HEAD: 29b229ac878e6fa2e53028f9682d9f6dcc330d4b
Core cask tap last commit: 23 minutes ago
Core cask tap JSON: 14 May 15:59 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_BAT_THEME: DarkNeon
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: vim
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_MAKE_JOBS: 10
HOMEBREW_SORBET_RUNTIME: set
HOMEBREW_VERIFY_ATTESTATIONS: set
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 15.0.0 build 1500
Git: 2.45.0 => /opt/homebrew/bin/git
Curl: 8.4.0 => /usr/bin/curl
macOS: 14.3.1-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: N/A
Rosetta 2: false

What were you trying to do (and why)?

brew upgrade while HOMEBREW_VERIFY_ATTESTATIONS=1 is set.

What happened (include all command output)?

==> Upgrading gh
  2.49.0 -> 2.49.2 
==> Verifying attestation for gh
Error: The bottle for gh has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `\{\"GH_TOKEN\"=\>\"LITERALLYMYGHTOKEN\"\} /opt/homebrew/bin/gh attestation verify /Users/Z003XC4/Library/Caches/Homebrew/downloads/1d47281ddb66d5bfb053e1f74cff84446c6626f87d7536b93b5c7dbc5555f073--gh--2.49.2.arm64_sonoma.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 127. Here's the output:

N.b., there was no further output.

What did you expect to happen?

I did not expect to see my token in the command output.

…I also expected the attestation to work but that's being handled in another forum.

Step-by-step reproduction instructions (by running brew commands)

`brew upgrade` while `HOMEBREW_VERIFY_ATTESTATIONS=1` is set.

[woodruffw]

Triaging: I think the right way to do this is to pass the token's value to ErrorDuringExecution for redaction, but this is likely to be difficult to plumb through Utils.safe_popen_read.

Instead, I think I need to fix ErrorDuringExecution's rendering of the cmd more generally -- it should render the Hash as an environment listing instead of just dumping it (if present), and should also apply an allowlist of variables that don't need to be redacted.