attestation: handle multiple subjects

This should fix the behavior observed in Homebrew/homebrew-core#177384 (comment) and below. Signed-off-by: William Woodruff <[email protected]>
Homebrew · Dec 5, 2024 · e5d47f8 · e5d47f8
1 parent eb23509
commit e5d47f8
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb
@@ -164,7 +164,10 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
 
       # `gh attestation verify` returns a JSON array of one or more results,
       # for all attestations that match the input's digest. We want to additionally
-      # filter these down to just the attestation whose subject matches the bottle's name.
+      # filter these down to just the attestation whose subject(s) contain the bottle's name.
+      # As of 2024-12-04 GitHub's Artifact Attestation feature can put multiple subjects
+      # in a single attestation, so we check every subject in each attestation
+      # and select the first attestation with a matching subject.
       subject = bottle.filename.to_s if subject.blank?
 
       attestation = if bottle.tag.to_sym == :all
@@ -175,12 +178,15 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
         # This is sound insofar as the signature has already been verified. However,
         # longer term, we should also directly attest to `:all`-tagged bottles.
         attestations.find do |a|
-          actual_subject = a.dig("verificationResult", "statement", "subject", 0, "name")
-          actual_subject.start_with? "#{bottle.filename.name}--#{bottle.filename.version}"
+          candidate_subjects = a.dig("verificationResult", "statement", "subject")
+          candidate_subjects.any? do |candidate|
+            candidate["name"].start_with? "#{bottle.filename.name}--#{bottle.filename.version}"
+          end
         end
       else
         attestations.find do |a|
-          a.dig("verificationResult", "statement", "subject", 0, "name") == subject
+          candidate_subjects = a.dig("verificationResult", "statement", "subject")
+          candidate_subjects.any? { |candidate| candidate["name"] == subject }
         end
       end