Skip to content

[TRIAGE] The bottle for $foo has an invalid build provenance attestationΒ #177384

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
[TRIAGE] The bottle for $foo has an invalid build provenance attestation#177384
Assignees
woodruffw
Labels
bugReproducible Homebrew/homebrew-core bug
@noelleleigh

Description

@noelleleigh
noelleleigh
opened on Jul 15, 2024

brew gist-logs <formula> link OR brew config AND brew doctor output

brew config

HOMEBREW_VERSION: 4.3.9-227-gd4f808f
ORIGIN: https://github.com/Homebrew/brew
HEAD: d4f808ffb56cf47d8ee96b973bb15afd48cf8ba2
Last commit: 14 minutes ago
Core tap JSON: 15 Jul 13:58 UTC
Core cask tap JSON: 15 Jul 13:58 UTC
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: code
HOMEBREW_MAKE_JOBS: 16
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.4 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4/bin/ruby
CPU: 16-core 64-bit kabylake
Clang: 15.0.0 build 1500
Git: 2.45.2 => /usr/local/bin/git
Curl: 8.6.0 => /usr/bin/curl
macOS: 14.5-x86_64
CLT: 15.3.0.0.1.1708646388
Xcode: N/A

brew doctor

Your system is ready to brew.

Verification

  • My brew doctor output says Your system is ready to brew. and am still able to reproduce my issue.
  • I ran brew update and am still able to reproduce my issue.
  • I have resolved all warnings from brew doctor and that did not fix my problem.
  • I searched for recent similar issues at https://github.com/Homebrew/homebrew-core/issues?q=is%3Aissue and found no duplicates.

What were you trying to do (and why)?

Upgrade nano from 8.0 to 8.1

What happened (include all command output)?

> % brew upgrade nano  
==> Downloading https://formulae.brew.sh/api/formula.jws.json

==> Downloading https://formulae.brew.sh/api/cask.jws.json

Warning: Treating nano as a formula. For the cask, use homebrew/cask/nano or specify the `--cask` flag.
==> Upgrading 1 outdated package:
nano 8.0 -> 8.1
==> Downloading https://ghcr.io/v2/homebrew/core/nano/manifests/8.1
Already downloaded: /Users/noelle/Library/Caches/Homebrew/downloads/c235906dbe78ab367ac80fa098363c4312bc50c3945eb8154535b340d8394f94--nano-8.1.bottle_manifest.json
==> Fetching nano
==> Downloading https://ghcr.io/v2/homebrew/core/nano/blobs/sha256:78947cd54c0938695fd01dd784f3f0033c0af0532627
Already downloaded: /Users/noelle/Library/Caches/Homebrew/downloads/ac5e4929fdb43b3e506e55e05d011b7f77c9148f1abc5f20f9927bd46f1ce721--nano--8.1.sonoma.bottle.tar.gz
==> Upgrading nano
  8.0 -> 8.1 
==> Verifying attestation for nano
Error: The bottle for nano has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

attestation verification failed: Failure while executing; `/usr/bin/env GH_TOKEN=****** /usr/local/bin/gh attestation verify /Users/noelle/Library/Caches/Homebrew/downloads/ac5e4929fdb43b3e506e55e05d011b7f77c9148f1abc5f20f9927bd46f1ce721--nano--8.1.sonoma.bottle.tar.gz --repo trailofbits/homebrew-brew-verify --format json` exited with 1. Here's the output:

Error: failed to fetch attestations from trailofbits/homebrew-brew-verify: HTTP 401: Bad credentials (https://api.github.com/repos/trailofbits/homebrew-brew-verify/attestations/sha256:78947cd54c0938695fd01dd784f3f0033c0af053262712e2d34bef6cd7653513?per_page=30)

What did you expect to happen?

Install without error

Step-by-step reproduction instructions (by running brew commands)

brew upgrade nano

Metadata

Assignees

Labels

bugReproducible Homebrew/homebrew-core bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions