attestation: specialize error when gh is old

[woodruffw]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

This isn't really ideal (I'll look further into the bootstrap cycle issues that led us to try version sniffing in the first place), but it'll help more users in the current beta resolve issues they're seeing.

See Homebrew/homebrew-core#177384 (comment).

[nandahkrishna]

This mostly seems fine but the reason I created the version-based check earlier was because some older versions of gh, weirdly, seem to not output an unknown command error even though they don't support attestations.

See for example:

$ oras pull ghcr.io/homebrew/core/gh:2.48.0
$ HOMEBREW_NO_VERIFY_ATTESTATIONS=1 brew install ./gh--2.48.0.arm64_sonoma.bottle.tar.gz
$ gh --version
gh version 2.48.0 (2024-04-17)
$ gh attestation     
Download and verify artifact attestations.

USAGE
  gh attestation [subcommand] [flags]

ALIASES
  at

AVAILABLE COMMANDS
  download:    Download an artifact's Sigstore bundle(s) for offline use
  verify:      Verify an artifact's integrity using attestations

INHERITED FLAGS
  --help   Show help for command

LEARN MORE
  Use `gh <command> <subcommand> --help` for more information about a command.
  Read the manual at https://cli.github.com/manual

However, the minimum gh version that supports attestations is 2.49.0, so I have no idea why this is happening.

[Bo98]

Honestly, it might just be easier to only check brewed gh version in Attestation.enabled? e.g.

gh_version = Formula["gh"].any_installed_version
return false if gh_version.nil? || gh_version < "2.49"

Especially given we hope to phase out gh entirely.

For Homebrew/core CI, where we don't use brewed gh, we already explicitly opt-in via the env which would override this check anyway. The number of non-CI end users using non-brewed gh is likely sufficiently small that it's probably not worth trying to extend the beta to cover them.

[woodruffw]

Honestly, it might just be easier to only check brewed gh version in Attestation.enabled? e.g.

Yeah, seems right. I remember we had some bootstrap cycle issue with accessing Formula[...] in that context, but I think as long as it's below no_verify_attestations? that shouldn't be an issue.

[carlocab]

This might make it easier to parse the gh version for --HEAD installs: Homebrew/homebrew-core#179266

[MikeMcQuaid]

Honestly, it might just be easier to only check brewed gh version in Attestation.enabled? e.g.

Agreed.

[MikeMcQuaid]

Agreed with @Bo98's comment.

[woodruffw]

I've updated this so that we now only enable attestations if gh is already installed and sufficiently new (unless the user explicitly enables them with HOMEBREW_VERIFY_ATTESTATIONS=1). This has the side effect of curbing the current beta significantly, since most people currently in it are probably getting it from having developer mode enabled. But per @Bo98's points that seems fine to me.

[PtrTeixeira]

Hey! This looks like it might be the cause of #18028

[woodruffw]

Hey! This looks like it might be the cause of #18028

Looks like it, thanks. Reverting.