Merge pull request #18543 from Homebrew/ww/gh-incompatible

attestation: specialize error on incompatible gh
Homebrew · Oct 10, 2024 · 587949b · 587949b
2 parents bdb9ed0 + 0613050
commit 587949b
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb
@@ -52,6 +52,12 @@ class GhAuthNeeded < RuntimeError; end
     # @api private
     class GhAuthInvalid < RuntimeError; end
 
+    # Raised if attestation verification cannot continue due to `gh`
+    # being incompatible with attestations, typically because it's too old.
+    #
+    # @api private
+    class GhIncompatible < RuntimeError; end
+
     # Returns whether attestation verification is enabled.
     #
     # @api private
@@ -136,6 +142,10 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
                                  env: { "GH_TOKEN" => credentials, "GH_HOST" => "github.com" },
                                  secrets: [credentials], print_stderr: false, chdir: HOMEBREW_TEMP)
       rescue ErrorDuringExecution => e
+        if e.status.exitstatus == 1 && e.stderr.include?("unknown command")
+          raise GhIncompatible, "gh CLI is incompatible with attestations"
+        end
+
         # Even if we have credentials, they may be invalid or malformed.
         if e.status.exitstatus == 4 || e.stderr.include?("HTTP 401: Bad credentials")
           raise GhAuthInvalid, "invalid credentials"

diff --git a/Library/Homebrew/formula_installer.rb b/Library/Homebrew/formula_installer.rb
@@ -1343,6 +1343,21 @@ def pour
       ohai "Verifying attestation for #{formula.name}"
       begin
         Homebrew::Attestation.check_core_attestation T.must(formula.bottle)
+      rescue Homebrew::Attestation::GhIncompatible
+        # A small but significant number of users have developer mode enabled
+        # but *also* haven't upgraded in a long time, meaning that their `gh`
+        # version is too old to perform attestations.
+        raise CannotInstallFormulaError, <<~EOS
+          The bottle for #{formula.name} could not be verified.
+
+          This typically indicates an outdated or incompatible `gh` CLI.
+
+          Please confirm that you're running the latest version of `gh`
+          by performing an upgrade before retrying:
+
+            brew update
+            brew upgrade gh
+        EOS
       rescue Homebrew::Attestation::GhAuthInvalid
         # Only raise an error if we explicitly opted-in to verification.
         raise CannotInstallFormulaError, <<~EOS if Homebrew::EnvConfig.verify_attestations?