Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TRIAGE] The bottle for $foo has an invalid build provenance attestation #177384

Open
4 tasks done
noelleleigh opened this issue Jul 15, 2024 · 107 comments
Open
4 tasks done
Assignees
Labels
bug Reproducible Homebrew/homebrew-core bug in progress Stale bot should stay away

Comments

@noelleleigh
Copy link

noelleleigh commented Jul 15, 2024

brew gist-logs <formula> link OR brew config AND brew doctor output

brew config

HOMEBREW_VERSION: 4.3.9-227-gd4f808f
ORIGIN: https://github.com/Homebrew/brew
HEAD: d4f808ffb56cf47d8ee96b973bb15afd48cf8ba2
Last commit: 14 minutes ago
Core tap JSON: 15 Jul 13:58 UTC
Core cask tap JSON: 15 Jul 13:58 UTC
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: code
HOMEBREW_MAKE_JOBS: 16
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.4 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4/bin/ruby
CPU: 16-core 64-bit kabylake
Clang: 15.0.0 build 1500
Git: 2.45.2 => /usr/local/bin/git
Curl: 8.6.0 => /usr/bin/curl
macOS: 14.5-x86_64
CLT: 15.3.0.0.1.1708646388
Xcode: N/A

brew doctor

Your system is ready to brew.

Verification

  • My brew doctor output says Your system is ready to brew. and am still able to reproduce my issue.
  • I ran brew update and am still able to reproduce my issue.
  • I have resolved all warnings from brew doctor and that did not fix my problem.
  • I searched for recent similar issues at https://github.com/Homebrew/homebrew-core/issues?q=is%3Aissue and found no duplicates.

What were you trying to do (and why)?

Upgrade nano from 8.0 to 8.1

What happened (include all command output)?

> % brew upgrade nano  
==> Downloading https://formulae.brew.sh/api/formula.jws.json

==> Downloading https://formulae.brew.sh/api/cask.jws.json

Warning: Treating nano as a formula. For the cask, use homebrew/cask/nano or specify the `--cask` flag.
==> Upgrading 1 outdated package:
nano 8.0 -> 8.1
==> Downloading https://ghcr.io/v2/homebrew/core/nano/manifests/8.1
Already downloaded: /Users/noelle/Library/Caches/Homebrew/downloads/c235906dbe78ab367ac80fa098363c4312bc50c3945eb8154535b340d8394f94--nano-8.1.bottle_manifest.json
==> Fetching nano
==> Downloading https://ghcr.io/v2/homebrew/core/nano/blobs/sha256:78947cd54c0938695fd01dd784f3f0033c0af0532627
Already downloaded: /Users/noelle/Library/Caches/Homebrew/downloads/ac5e4929fdb43b3e506e55e05d011b7f77c9148f1abc5f20f9927bd46f1ce721--nano--8.1.sonoma.bottle.tar.gz
==> Upgrading nano
  8.0 -> 8.1 
==> Verifying attestation for nano
Error: The bottle for nano has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** /usr/local/bin/gh attestation verify /Users/noelle/Library/Caches/Homebrew/downloads/ac5e4929fdb43b3e506e55e05d011b7f77c9148f1abc5f20f9927bd46f1ce721--nano--8.1.sonoma.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 1. Here's the output:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:78947cd54c0938695fd01dd784f3f0033c0af053262712e2d34bef6cd7653513?per_page=30)

What did you expect to happen?

Install without error

Step-by-step reproduction instructions (by running brew commands)

brew upgrade nano
@noelleleigh noelleleigh added the bug Reproducible Homebrew/homebrew-core bug label Jul 15, 2024
@Bo98 Bo98 assigned Bo98 and woodruffw and unassigned Bo98 Jul 15, 2024
@woodruffw
Copy link
Member

Thanks for the report @noelleleigh! Could you attempt to run the following for me locally?

gh auth status

...that should help me determine why the GitHub API call failed to authenticate here.

@woodruffw
Copy link
Member

In the mean time as well: you can disable this feature (it's in beta, but you're receiving it because you have developer mode enabled) by setting HOMEBREW_NO_VERIFY_ATTESTATIONS=1.

@mitchblank
Copy link
Contributor

I had the same issue, and a gh auth login fixed it.

It seems that the attestation-checking code is sensitive to a stale gh token in a way that other parts of brew upgrade are not.

Also the way the error surfaces isn't very helpful

@woodruffw
Copy link
Member

Also the way the error surfaces isn't very helpful

Agreed; we rolled this out to people with developer mode enabled to discover exactly these kinds of rough edges. I'll look into improving this error message.

@lblackstone
Copy link
Contributor

lblackstone commented Jul 15, 2024

I encountered a similar error for the goreleaser package:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:2a5e4f6a0352af1989c5516ad2b742e132bf5112e2574190b6b706f7b1697f35?per_page=30)

Running gh auth login did not fix it, but HOMEBREW_NO_VERIFY_ATTESTATIONS=1 worked as suggested.

I'm using the SSH git protocol if that makes a difference.

@woodruffw
Copy link
Member

Using SSH for git shouldn't make a difference 🙂

@lblackstone could you run gh auth status and post the output here?

@lblackstone
Copy link
Contributor

$ gh auth status

github.com
  ✓ Logged in to github.com account lblackstone (/Users/levi/.config/gh/hosts.yml)
  - Active account: true
  - Git operations protocol: ssh
  - Token: gho_************************************
  - Token scopes: 'admin:public_key', 'gist', 'read:org', 'repo'

@woodruffw
Copy link
Member

woodruffw commented Jul 15, 2024

Thanks. That looks pretty close to what I have, so I don't think that's the source of problems here. It's possible that there's another (stale) credential elsewhere that Homebrew is giving priority to; I'll look into that.

Edit: @lblackstone do you happen to have a different API credential configured via HOMEBREW_GITHUB_API_TOKEN? That's the one credential source that has priority over the gh-held token.

@lblackstone
Copy link
Contributor

lblackstone commented Jul 15, 2024

do you happen to have a different API credential configured via HOMEBREW_GITHUB_API_TOKEN? That's the one credential source that has priority over the gh-held token.

Ah, sure enough. It looks like my ~/.zshrc file was setting that, but I don't see the token on my GH settings. I assume it expired since I used it awhile back.

@woodruffw
Copy link
Member

woodruffw commented Jul 15, 2024

Yep, that'll do it. I'll look into improving the error message on that case as well. In the mean time, you should be able to re-enable attestations and delete that old env var (Homebrew will use your gh token).

@noelleleigh
Copy link
Author

Thanks for the report @noelleleigh! Could you attempt to run the following for me locally?

gh auth status

...that should help me determine why the GitHub API call failed to authenticate here.

Sorry for the delay:

$ gh auth status
github.com
  X Failed to log in to github.com account noelleleigh (keyring)
  - Active account: true
  - The token in keyring is invalid.
  - To re-authenticate, run: gh auth login -h github.com
  - To forget about this account, run: gh auth logout -h github.com -u noelleleigh

@woodruffw
Copy link
Member

No problem, thanks for checking. Could you try running gh auth login and seeing if the command works after that?

(This feature won't require this kind of auth flow once it's out of beta; you can leave the beta either by disabling Homebrew's developer mode or by explicitly setting HOMEBREW_NO_VERIFY_ATTESTATIONS=1.)

@jackson-57

This comment was marked as resolved.

@woodruffw
Copy link
Member

woodruffw commented Jul 15, 2024

Hi, I'm trying to install otf2bdf and I'm getting a similar error, but a 404 instead of a 401. Is this related?

That's unrelated, but thank you for raising it. You can use the same HOMEBREW_NO_VERIFY_ATTESTATIONS=1 env var mentioned above to disable that failing check.

Edit: I've kicked off a rebottle for otf2bdf that should resolve the above.

Edit 2: The rebottle has completed and otf2bdf's bottles should now be attested. Thank you @jackson-57!

@noelleleigh
Copy link
Author

No problem, thanks for checking. Could you try running gh auth login and seeing if the command works after that?

After completing the gh auth login flow, I can now upgrade nano successfully. Thanks!

@darthShadow

This comment was marked as resolved.

@maazmmd

This comment was marked as resolved.

@pavelveter

This comment was marked as duplicate.

@woodruffw

This comment was marked as resolved.

@maazmmd

This comment was marked as resolved.

@lenaschimmel

This comment was marked as duplicate.

@woodruffw

This comment was marked as duplicate.

@angelus2014

This comment was marked as duplicate.

@seplee

This comment was marked as duplicate.

@angelus2014
Copy link

angelus2014 commented Jul 16, 2024

I use set HOMEBREW_NO_VERIFY_ATTESTATIONS 1 in fish and a check with env shows me that it's set.

@woodruffw

This comment was marked as resolved.

@heuermh
Copy link

heuermh commented Aug 11, 2024

==> Upgrading brewsci/bio/edirect
  16.2 -> 22.1
==> Installing dependencies for brewsci/bio/edirect: cpanminus
==> Installing brewsci/bio/edirect dependency: cpanminus
==> Downloading https://ghcr.io/v2/homebrew/core/cpanminus/manifests/1.7047
Already downloaded: /Users/foo/Library/Caches/Homebrew/downloads/9e80d7eedcbf4589a593353f480729057df8c1f14c30b111fb294cd2e68d1163--cpanminus-1.7047.bottle_manifest.json
==> Verifying attestation for cpanminus
Error: The bottle for cpanminus has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

no attestation matches subject: 715cc29abc1757470860a4ad0acb9d07701ef8c46399c905353954df33d5b769--cpanminus--1.7047.monterey.bottle.tar.gz

@woodruffw
Copy link
Member

Thanks @heuermh, I can confirm that the monterey bottle is missing an attestation:

$ brew verify cpanminus --bottle-tag monterey
==> Downloading https://ghcr.io/v2/homebrew/core/cpanminus/blobs/sha256:f20737479b4b5d7d2945aa09b8b25e91d09205725b2a0a3858a37c1eeb282f92
###################################################################################################################################################### 100.0%
Error: Failed to verify cpanminus--1.7047.monterey.bottle.tar.gz with tag monterey due to error:

no attestation matches subject: 715cc29abc1757470860a4ad0acb9d07701ef8c46399c905353954df33d5b769--cpanminus--1.7047.monterey.bottle.tar.gz

I'm triggering a rebottle to fix it now.

ZhongRuoyu pushed a commit to chenrui333/brew that referenced this issue Aug 13, 2024
@andrioli
Copy link

I'm facing this issue with pass.

Here the output when trying to install on macOS Monterey:

 brew install pass
==> Downloading https://formulae.brew.sh/api/formula.jws.json
####################################################################################################################################################### 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
####################################################################################################################################################### 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/pass/manifests/1.7.4
Already downloaded: /Users/raraujo/Library/Caches/Homebrew/downloads/260588ef35ce97fb9455eadd2fa605c0af26dd2d53a534d18bb5334e887bfdc6--pass-1.7.4.bottle_manifest.json
==> Fetching pass
==> Downloading https://ghcr.io/v2/homebrew/core/pass/blobs/sha256:d667e58dae216055777c9780d522b68c6868d7b23f9f712c09c29b1daf215b35
Already downloaded: /Users/raraujo/Library/Caches/Homebrew/downloads/f6f65aad4c36d5c1eb50c70b3db88bc9f25e2c1a3f00f7fe278d108ea3f5ad4e--pass--1.7.4.monterey.bottle.tar.gz
==> Verifying attestation for pass
Error: The bottle for pass has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

no attestation matches subject: f6f65aad4c36d5c1eb50c70b3db88bc9f25e2c1a3f00f7fe278d108ea3f5ad4e--pass--1.7.4.monterey.bottle.tar.gz

@woodruffw
Copy link
Member

woodruffw commented Aug 20, 2024

Thanks @andrioli. I can confirm this bug -- it looks like we accidentally skipped pass's old bottles during the attestation backfill. I'm triggering a rebottle to fix it now.

Edit: Dispatched: https://github.com/Homebrew/homebrew-core/actions/runs/10474173618

Edit 2: Rebottle failed due to an upstream checksum change. Triaging this with the upstream now.

Edit 3: The bottle build has been corrected and the rebottle has completed.

@woodruffw
Copy link
Member

@maxbritto Please provide the full error you're seeing, like with other responses in this thread! It's much harder to triage the exact underlying cause if I don't know why the attestation failed.

@andrioli
Copy link

andrioli commented Aug 20, 2024

Rebottle failed due to an upstream checksum change. Triaging this with the upstream now.

@woodruffw this is weird. There's any open issue to tackle this with upstream ?

No new releases since 3 years:
image

And the checksums for the last two versions didn't match

~/Downloads ➜ sha256sum password-store-1.7.*
007816862dd8a2668842bf43b4e98c4c9b5aeaf7a868e101075dfd91eb657bb4  password-store-1.7.3.tar.xz
4c2d0a8b99df8915a87099607a8d912fd05d30651b6f014745c14e4ca8dbbfb7  password-store-1.7.4.tar.xz

Compare with the values of this commit.

Edit: Just wondering, maybe cgit is generating those source bundles (.tar.xz) at runtime and something changed there!

@woodruffw
Copy link
Member

@andrioli Yep -- see #181795 for the results of our triage on this.

TL;DR the digest change was caused by a git archive change most likely, which has been a source of digest stability problems in the past. We confirmed that no files within the archive actually changed, nor did the underlying .tar container, only the compression layer.

@maxbritto
Copy link

@maxbritto Please provide the full error you're seeing, like with other responses in this thread! It's much harder to triage the exact underlying cause if I don't know why the attestation failed.

Sorry I removed my post a few seconds after posting it, you've been too fast :) I needed to upgrade gh (brew upgrade gh) and then it worked

@tdsmith
Copy link
Contributor

tdsmith commented Aug 27, 2024

A colleague ran into an issue running brew upgrade when an older, non-Homebrew gh (from our conda monorepo package set) without an attestation subcommand was first on PATH.

He received the message:

==> Verifying attestation for ca-certificates
Error: The bottle for ca-certificates has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /Users/.../current/abcd/.conda/bin/gh attestation verify /Users/.../Library/Caches/Homebrew/downloads/9af01538d558e40dd9cf236c9e9d04f265bd12b0e10d9ee3881ca667e043acd9--ca-certificates--2024-07-02.all.bottle.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:
unknown command "attestation" for "gh"

Deactivating our monorepo (i.e. removing the foreign gh from PATH) allowed the upgrade to succeed.

Please let me know if more context would be helpful!

@jalavosus
Copy link

@woodruffw Since this issue is still open, hoping you could take a look into lz4:

==> Upgrading lz4
  1.9.4 -> 1.10.0 
==> Verifying attestation for lz4
Error: The bottle for lz4 has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /usr/local/bin/gh attestation verify /Users/james/Library/Caches/Homebrew/downloads/2dd0dd84b1009e5f0bd351bad100f4cb013c8d9887234b63777c2430fe6d9007--lz4--1.10.0.monterey.bottle.1.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:
Failed to verify the artifact: failed to fetch attestations for subject: sha256:f78cc448808d04a0c31b108d7da962020e062179e29c7d0a2303db7866d8e449

I've run gh auth login (which ended up being a good thing, the CLI was disconnected from GH for awhile) and re-run brew update + brew upgrade.

OS version: macOS 12.6 (21G115)
brew --version output:

Homebrew 4.3.18-79-g76543a9
Homebrew/homebrew-core (git revision 9d56b5acf0c; last commit 2024-08-30)
Homebrew/homebrew-cask (git revision 8aec80d8bf0; last commit 2024-08-30)

@laytan
Copy link
Contributor

laytan commented Sep 4, 2024

I am seeing a 404 error installing lm-sensors:

$ brew --version
Homebrew 4.3.19-40-g9659b57
Homebrew/homebrew-cask (git revision 348fb7496b2; last commit 2024-09-04)

$ brew install lm-sensors
==> Downloading https://ghcr.io/v2/homebrew/core/lm-sensors/manifests/3.6.0
Already downloaded: /home/laytan/.cache/Homebrew/downloads/8cdb949c52dc07e99e98df315647bbf6d80b93993283087caf5c49f93f98c811--lm-sensors-3.6.0.bottle_manifest.json
==> Fetching lm-sensors
==> Downloading https://ghcr.io/v2/homebrew/core/lm-sensors/blobs/sha256:9cab2dd7da319a2eda20dffe27d52292f3e66926
Already downloaded: /home/laytan/.cache/Homebrew/downloads/254371a742c8eff51baccc13ed195f25e5ba0c1c1a3963ebca9d7328ef0ca4bf--lm-sensors--3.6.0.x86_64_linux.bottle.tar.gz
==> Verifying attestation for lm-sensors
Error: The bottle for lm-sensors has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation not found: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /usr/bin/gh attestation verify /home/laytan/.cache/Homebrew/downloads/254371a742c8eff51baccc13ed195f25e5ba0c1c1a3963ebca9d7328ef0ca4bf--lm-sensors--3.6.0.x86_64_linux.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 1. Here's the output:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 404: Not Found (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:9cab2dd7da319a2eda20dffe27d52292f3e66926fabba8ac1f2204fa0885af3d?per_page=30)

@woodruffw
Copy link
Member

woodruffw commented Sep 4, 2024

Sorry for the delay here.


Deactivating our monorepo (i.e. removing the foreign gh from PATH) allowed the upgrade to succeed.

Thanks @tdsmith, this is useful! I'll look at making more fixes to the precedence of the discovered gh (I could have sworn we only use the brewed gh, but there may be edge cases).


@jalavosus could you attempt to reproduce this again? I'm unable to reproduce this locally:

$ brew verify lz4 --bottle-tag=monterey
==> Downloading https://ghcr.io/v2/homebrew/core/lz4/blobs/sha256:f78cc448808d04a0c31b108d7da962020e062179e29c7d0a2303db7866d8e449
###################################################################################################################################################### 100.0%
==> lz4--1.10.0.monterey.bottle.1.tar.gz has a valid attestation

@laytan thanks, I can confirm that this one is missing an attestation. I'll dispatch a rebottle now.

Edit: dispatched: https://github.com/Homebrew/homebrew-core/actions/runs/10704760272

Edit 2: Done.

ctaintor pushed a commit to ctaintor/brew that referenced this issue Sep 4, 2024
@GV14982
Copy link

GV14982 commented Sep 12, 2024

Hi, I'm getting this error when installing docker-completion:

❯ brew install docker-completion
==> Downloading https://formulae.brew.sh/api/formula.jws.json
############################################################################################################################################# 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json

==> Downloading https://ghcr.io/v2/homebrew/core/docker-completion/manifests/27.2.1
Already downloaded: /Users/gvqz/Library/Caches/Homebrew/downloads/9367c959881a99177bc7ba3102e4296be97dffb50244787892a84f8da6d62095--docker-completion-27.2.1.bottle_manifest.json
==> Fetching docker-completion
==> Downloading https://ghcr.io/v2/homebrew/core/docker-completion/blobs/sha256:4d749c41af20db8f943d3415cf57d55cc932f3301af10aca65cf8cda90e67b23
Already downloaded: /Users/gvqz/Library/Caches/Homebrew/downloads/fd870c24d58b2f79315a896753b873cb0fbc6d57ff79f4d5185df8d348766c18--docker-completion--27.2.1.all.bottle.tar.gz
==> Verifying attestation for docker-completion
Error: The bottle for docker-completion has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /opt/homebrew/bin/gh attestation verify /Users/gvqz/Library/Caches/Homebrew/downloads/fd870c24d58b2f79315a896753b873cb0fbc6d57ff79f4d5185df8d348766c18--docker-completion--27.2.1.all.bottle.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:
Failed to verify the artifact: failed to fetch attestations for subject: sha256:4d749c41af20db8f943d3415cf57d55cc932f3301af10aca65cf8cda90e67b23

I have refreshed my gh cli token, but still get the same issue.

@woodruffw
Copy link
Member

woodruffw commented Sep 12, 2024

Thanks for the report @GV14982. I'm currently unable to reproduce this:

$ brew verify docker-completion
==> Downloading https://ghcr.io/v2/homebrew/core/docker-completion/blobs/sha256:4d749c41af20db8f943d3415cf57d55cc932f3301af10aca65cf8cda90e67b23
############################################################################################################################################################# 100.0%
==> docker-completion--27.2.1.all.bottle.tar.gz has a valid attestation

Could you confirm that your local brew installation is up-to-date?

@GV14982
Copy link

GV14982 commented Sep 12, 2024

Here is the output from running brew update:

❯ brew update
==> Updating Homebrew...
==> Updated Homebrew from 9042eb9347 to fd7f2bb3b1.
No changes to formulae or casks.

And brew -v

❯ brew -v
Homebrew 4.3.21-4-gfd7f2bb

@thomaswitt
Copy link

thomaswitt commented Sep 13, 2024

Same problems here with libxml2, ripgrep, [email protected], ollama, etc… (brew update & brew upgrade run)

==> Upgrading ollama
  0.3.9 -> 0.3.10
==> Verifying attestation for ollama
Error: The bottle for ollama has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /opt/homebrew/bin/gh attestation verify /Users/thomas/Library/Caches/Homebrew/downloads/4f1ea492d5a0182cac71715ef4278cce9759dc013bad9e742a07ff8ed5f3a829--ollama--0.3.10.arm64_sonoma.bottle.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:

Error: failed to find recognized issuer from bundle content: failed to create Public Good Sigstore verifier: failed to create TUF client: tuf refresh failed: Get "https://tuf-repo-cdn.sigstore.dev/10.root.json": dial tcp 127.0.0.1:443: connect: connection refused

@rlucas7
Copy link

rlucas7 commented Sep 25, 2024

@woodruffw thanks for all your work on this one. I didn't see the wget bottle provenance mentioned (did a ctrl-f search). I encountered this today via initially seeing an error on wget which necessitated an upgrade to wget.

Lucass-MacBook:smarter rlucas$ brew install wget
 
==> Downloading https://ghcr.io/v2/homebrew/core/wget/manifests/1.24.5
Already downloaded: /Users/rlucas/Library/Caches/Homebrew/downloads/885bce6d1c81de373d8479681e3ccbb748be9eca29a8a3b3c95e6479a98458bd--wget-1.24.5.bottle_manifest.json
==> Fetching wget
==> Downloading https://ghcr.io/v2/homebrew/core/wget/blobs/sha256:1b7e2f76c90553543a5e25dadf031c6fcfe280f52bf27d89e04006f9d33fd20b
Already downloaded: /Users/rlucas/Library/Caches/Homebrew/downloads/a69f6815965ac498390ce6a33fa2b0f3f67a970097aa33e329f401a79698e073--wget--1.24.5.ventura.bottle.tar.gz
==> Verifying attestation for wget
Error: The bottle for wget has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:
... output elided...

I confirmed that I did not have a gh token set in my env vars and then did the gh auth login workflow via gh cli using an ssh protocol (and ssh key) after authenticating via gh cli I still received the attestation error whilst attempting to update wget. I then did:

HOMEBREW_NO_VERIFY_ATTESTATIONS=1 brew install wget

and this works for me,

Lucass-MacBook:~ rlucas$ gh auth status
github.com
  ✓ Logged in to github.com account rlucas7 (keyring)
  - Active account: true
  - Git operations protocol: ssh
  - Token: gho_************************************
  - Token scopes: 'admin:public_key', 'gist', 'read:org', 'repo'
Lucass-MacBook:~ rlucas$ HOMEBREW_NO_VERIFY_ATTESTATIONS=1 brew install wget
==> Downloading https://ghcr.io/v2/homebrew/core/wget/manifests/1.24.5
Already downloaded: /Users/rlucas/Library/Caches/Homebrew/downloads/885bce6d1c81de373d8479681e3ccbb748be9eca29a8a3b3c95e6479a98458bd--wget-1.24.5.bottle_manifest.json
==> Fetching wget
==> Downloading https://ghcr.io/v2/homebrew/core/wget/blobs/sha256:1b7e2f76c90553543a5e25dadf031c6fcfe280f52bf27d89e04006f9d33fd20b
Already downloaded: /Users/rlucas/Library/Caches/Homebrew/downloads/a69f6815965ac498390ce6a33fa2b0f3f67a970097aa33e329f401a79698e073--wget--1.24.5.ventura.bottle.tar.gz
==> Pouring wget--1.24.5.ventura.bottle.tar.gz
🍺  /usr/local/Cellar/wget/1.24.5: 92 files, 4.5MB
==> Running `brew cleanup wget`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
==> `brew cleanup` has not been run in the last 30 days, running now...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).

LMK if you need more info to help root cause things.

@woodruffw
Copy link
Member

woodruffw commented Sep 25, 2024

Thanks @rlucas7. Could you please provide the logging information that you elided here? I need that information to triage this.

Additional context:
... output elided...

Edit: for context, I'm unable to reproduce this with the ventura tag for wget:

$ brew verify wget --bottle-tag=ventura
==> Downloading https://ghcr.io/v2/homebrew/core/wget/blobs/sha256:1b7e2f76c90553543a5e25dadf031c6fcfe280f52bf27d89e04006f9d33fd20b
###################################################################################################################################################### 100.0%
==> wget--1.24.5.ventura.bottle.tar.gz has a valid attestation

@rlucas7
Copy link

rlucas7 commented Sep 25, 2024

Thanks @rlucas7. Could you please provide the logging information that you elided here? I need that information to triage this.

Additional context:
... output elided...

Edit: for context, I'm unable to reproduce this with the ventura tag for wget:

$ brew verify wget --bottle-tag=ventura
==> Downloading https://ghcr.io/v2/homebrew/core/wget/blobs/sha256:1b7e2f76c90553543a5e25dadf031c6fcfe280f52bf27d89e04006f9d33fd20b
###################################################################################################################################################### 100.0%
==> wget--1.24.5.ventura.bottle.tar.gz has a valid attestation

yep, apologies for omitting here it is:

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** GH_HOST=github.com /usr/local/bin/gh attestation verify /Users/rlucas/Library/Caches/Homebrew/downloads/a69f6815965ac498390ce6a33fa2b0f3f67a970097aa33e329f401a79698e073--wget--1.24.5.ventura.bottle.tar.gz --repo Homebrew/homebrew-core --format json` exited with 1. Here's the output:
unknown command "attestation" for "gh"

Usage:  gh <command> <subcommand> [flags]

Available commands:
  alias
  api
  auth
  browse
  cache
  co
  codespace
  completion
  config
  extension
  gist
  gpg-key
  issue
  label
  org
  pr
  project
  release
  repo
  ruleset
  run
  search
  secret
  ssh-key
  status
  variable
  workflow

In case you want/need this I'm using

Lucass-MacBook:data rlucas$ gh --version
gh version 2.42.1 (2024-01-15)
https://github.com/cli/cli/releases/tag/v2.42.1
Lucass-MacBook:data rlucas$ 

Also FWIW I'm on ventura 13.6.7

@woodruffw
Copy link
Member

Thanks, that's helpful! That looks like a case of your gh being too old; we used to detect that, but doing so reliably is somewhat challenging. Could you try brew update && brew upgrade gh and see if that resolves the problem?

@rlucas7
Copy link

rlucas7 commented Sep 25, 2024

brew upgrade gh

Yes. I already had installed via the HOMEBREW_NO_VERIFY_ATTESTATIONS=1 -mentioned in comment so I uninstalled and confirmed I could reproduce the error on install of wget. Then updating the gh cli tool and reinstall worked fine. The brew upgrade gh bumped the version from
2.42.1 -> 2.57.0 to fix this issue.

Thanks @woodruffw 👍

bash stuff for posterity Lucass-MacBook:1 rlucas$ brew uninstall wget Uninstalling /usr/local/Cellar/wget/1.24.5... (92 files, 4.5MB)

Warning: The following may be wget configuration files and have not been removed!
If desired, remove them manually with rm -rf:
/usr/local/etc/wgetrc
Lucass-MacBook:1 rlucas$ which wget
Lucass-MacBook:1 rlucas$ brew install wget
==> Auto-updating Homebrew...
Adjust how often this is run with HOMEBREW_AUTO_UPDATE_SECS or disable with
HOMEBREW_NO_AUTO_UPDATE. Hide these hints with HOMEBREW_NO_ENV_HINTS (see man brew).
==> Auto-updated Homebrew!
==> Updated Homebrew from 2f2ca82035 to 465a7352f3.
No changes to formulae or casks.

==> Downloading https://ghcr.io/v2/homebrew/core/wget/manifests/1.24.5
Already downloaded: /Users/rlucas/Library/Caches/Homebrew/downloads/885bce6d1c81de373d8479681e3ccbb748be9ec a29a8a3b3c95e6479a98458bd--wget-1.24.5.bottle_manifest.json
==> Fetching wget
==> Downloading https://ghcr.io/v2/homebrew/core/wget/blobs/ sha256:1b7e2f76c90553543a5e25dadf031c6fcfe280f52bf27d89e04006f9d33fd20b
Already downloaded: /Users/rlucas/Library/Caches/Homebrew/downloads/ a69f6815965ac498390ce6a33fa2b0f3f67a970097aa33e329f401a79698e073--wget--1.24.5.ventura.bottle.tar.gz
==> Verifying attestation for wget
Error: The bottle for wget has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; /usr/bin/env GH_TOKEN=****** GH_HOST=github.com /usr/local/bin/gh attestation verify /Users/rlucas/Library/Caches/Homebrew/downloads/ a69f6815965ac498390ce6a33fa2b0f3f67a970097aa33e329f401a79698e073--wget--1.24.5.ventura.bottle.tar.gz --repo Homebrew/homebrew-core --format json exited with 1. Here's the output:
unknown command "attestation" for "gh"

Usage: gh [flags]

Available commands:
alias
api
auth
browse
cache
co
codespace
completion
config
extension
gist
gpg-key
issue
label
org
pr
project
release
repo
ruleset
run
search
secret
ssh-key
status
variable
workflow

Lucass-MacBook:1 rlucas$ brew upgrade gh
==> Upgrading 1 outdated package:
gh 2.42.1 -> 2.57.0
==> Downloading https://ghcr.io/v2/homebrew/core/gh/manifests/2.57.0
########################################################################################################### ############################ 100.0%
==> Fetching gh
==> Downloading https://ghcr.io/v2/homebrew/core/gh/blobs/ sha256:ee67b4ecaf27b815f29ae80c82388a4fb43254ba2c9ca840795fe05404e04814
########################################################################################################### ############################ 100.0%
==> Upgrading gh
2.42.1 -> 2.57.0
==> Pouring gh--2.57.0.ventura.bottle.tar.gz
==> Caveats
Bash completion has been installed to:
/usr/local/etc/bash_completion.d
==> Summary
🍺 /usr/local/Cellar/gh/2.57.0: 201 files, 40.5MB
==> Running brew cleanup gh...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see man brew).
Removing: /usr/local/Cellar/gh/2.42.1... (192 files, 43.6MB)
Lucass-MacBook:1 rlucas$ brew install wget
==> Downloading https://ghcr.io/v2/homebrew/core/wget/manifests/1.24.5
Already downloaded: /Users/rlucas/Library/Caches/Homebrew/downloads/885bce6d1c81de373d8479681e3ccbb748be9ec a29a8a3b3c95e6479a98458bd--wget-1.24.5.bottle_manifest.json
==> Fetching wget
==> Downloading https://ghcr.io/v2/homebrew/core/wget/blobs/ sha256:1b7e2f76c90553543a5e25dadf031c6fcfe280f52bf27d89e04006f9d33fd20b
Already downloaded: /Users/rlucas/Library/Caches/Homebrew/downloads/ a69f6815965ac498390ce6a33fa2b0f3f67a970097aa33e329f401a79698e073--wget--1.24.5.ventura.bottle.tar.gz
==> Verifying attestation for wget
==> Pouring wget--1.24.5.ventura.bottle.tar.gz
🍺 /usr/local/Cellar/wget/1.24.5: 92 files, 4.5MB
==> Running brew cleanup wget...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see man brew).
Lucass-MacBook:1 rlucas$

@101Dude
Copy link

101Dude commented Oct 10, 2024

Have the same issue with wakonlan bottle.

I added notes to the closed issue above

I was able to install by using export HOMEBREW_NO_VERIFY_ATTESTATIONS=1 in my session and then brew install wakeonlan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Reproducible Homebrew/homebrew-core bug in progress Stale bot should stay away
Projects
None yet
Development

No branches or pull requests