New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a brew
command to easily verify homebrew-core packages
#16543
Comments
As a POC, a separate command might be useful. Though: does it make sense to verify the attestation automatically with a If doing it on every |
I agree, my plan is to write a separate command regardless, just to make sure everything works as expected without the complexity of a full
I don't yet know how heavy an operation of verification is, I will investigate to see if this makes sense. Verifying on |
On the Sigstore side: verification is relatively lightweight (it's a small handful of signature verifications + a bit of parsing and munging). I'll do some benchmarking with The only potentially slow part is whether verification is done "online," i.e. whether the inclusion proof in each bundle is also checked against the online transparency log (and whether the root of trust is updated on every invocation). The default should be to do an offline verification so no network roundtrip should be necessary there, but the root of trust update may currently be unconditional. I'll look into that! Edit: From discussion with @phillmv: I forgot to also factor in the network trip for retrieving the attestation itself (which will happen alongside bottle retrieval). |
Agreed that a |
Yes but would suggest it should be in a external command/tap initially.
👍🏻 my thinking is based on this the verification would go through these steps:
|
That plan SGTM! @josephsweeney, let's start with an external command in a tap on the ToB GH org. |
Agreed with this though IMO the second step can be skipped as I don't really see any value in doing that over what the external tap offered. If we're interested in onboarding after the experimental stage of being in an external tap, then we're probably interested in fully integrating it into |
Agreed on both @MikeMcQuaid's steps and @Bo98's point on the second step. The plan will be to keep Thanks to everyone for the input, it helps a lot! |
I have the first iteration of a Note that you'll need the GitHub CLI installed, and this extension added. I explain this in the help text for the command as well. I may add some functionality to prompt the user if they would like to install it, but I figure I would start more minimally for now. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
@josephsweeney I've outlined the integration steps for this in #17019 and we have the MVP version, so IMO this is safe to close! |
Verification
brew install wget
. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.Provide a detailed description of the proposed feature
In a recent PR we started generating build provenance for packages using GitHub's new
generate-build-provenance
action.I am proposing and seeking feedback on adding a new
brew verify
command that would verify installed bottles (either all bottles or individual bottles). The command would use thegh attestation verify
extension to the GitHub CLI to verify the installed bottles were signed.I am currently working on a standalone script to do this but I wanted to get feedback from the maintainers about whether they agree this should be incorporated as a
brew
command. If there is agreement, please feel free to assign me and I will work on a PR. If not, let me know if there are any changes or further information that would be helpful.Thank you.
What is the motivation for the feature?
The motivation is to more easily allow users of
brew
to verify that bottles they install from homebrew-core were indeed built by Homebrew's CI, which is what users already expect. This just allows them to easily verify it without any extra tools.How will the feature be relevant to at least 90% of Homebrew users?
Any user would be able to use this command to make better security decisions about what bottles to use and trust.
What alternatives to the feature have been considered?
The main alternative to this feature is a standalone command line program that will verify Homebrew bottles. It would do exactly the same thing, but users would have to explicitly find and download the program to verify bottles. This makes it much less likely to be used as it wouldn't be built into
brew
.The text was updated successfully, but these errors were encountered: