attestation: handle multiple subjects

Library/Homebrew/attestation.rb

@@ -164,7 +164,12 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
 
       # `gh attestation verify` returns a JSON array of one or more results,
       # for all attestations that match the input's digest. We want to additionally
-      # filter these down to just the attestation whose subject matches the bottle's name.
+      # filter these down to just the attestation whose subject(s) contain the bottle's name.
+      # As of 2024-12-04 GitHub's Artifact Attestation feature can put multiple subjects
+      # in a single attestation, so we check every subject in each attestation
+      # and select the first attestation with a matching subject.
+      # In particular, this happens with v2.0.0 and later of the
+      # `actions/attest-build-provenance` action.
       subject = bottle.filename.to_s if subject.blank?
 
       attestation = if bottle.tag.to_sym == :all
@@ -175,12 +180,15 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
         # This is sound insofar as the signature has already been verified. However,
         # longer term, we should also directly attest to `:all`-tagged bottles.
         attestations.find do |a|
-          actual_subject = a.dig("verificationResult", "statement", "subject", 0, "name")
-          actual_subject.start_with? "#{bottle.filename.name}--#{bottle.filename.version}"
+          candidate_subjects = a.dig("verificationResult", "statement", "subject")
+          candidate_subjects.any? do |candidate|
+            candidate["name"].start_with? "#{bottle.filename.name}--#{bottle.filename.version}"
+          end
         end
       else
         attestations.find do |a|
-          a.dig("verificationResult", "statement", "subject", 0, "name") == subject
+          candidate_subjects = a.dig("verificationResult", "statement", "subject")
+          candidate_subjects.any? { |candidate| candidate["name"] == subject }
         end
       end
 

Library/Homebrew/test/attestation_spec.rb

@@ -34,6 +34,15 @@
                       } },
                     ]))
   end
+  let(:fake_result_json_resp_multi_subject) do
+    instance_double(SystemCommand::Result,
+                    stdout: JSON.dump([
+                      { verificationResult: {
+                        verifiedTimestamps: [{ timestamp: "2024-03-13T00:00:00Z" }],
+                        statement:          { subject: [{ name: "nonsense" }, { name: fake_bottle_filename.to_s }] },
+                      } },
+                    ]))
+  end
   let(:fake_result_json_resp_backfill) do
     digest = Digest::SHA256.hexdigest(fake_bottle_url)
     instance_double(SystemCommand::Result,
@@ -234,6 +243,17 @@
       described_class.check_core_attestation fake_bottle
     end
 
+    it "calls gh with args for homebrew-core and handles a multi-subject attestation" do
+      expect(described_class).to receive(:system_command!)
+        .with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",
+                              described_class::HOMEBREW_CORE_REPO, "--format", "json"],
+              env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds],
+              print_stderr: false, chdir: HOMEBREW_TEMP)
+        .and_return(fake_result_json_resp_multi_subject)
+
+      described_class.check_core_attestation fake_bottle
+    end
+
     it "calls gh with args for backfill when homebrew-core attestation is missing" do
       expect(described_class).to receive(:system_command!)
         .with(fake_gh, args: ["attestation", "verify", cached_download, "--repo",