Make comment more explicit

2025-07-14 16:09:03 +08:00 · 2024-04-30 10:50:33 -04:00 · 2024-04-30 10:50:33 -04:00 · 9fff688bbe
commit 9fff688bbe
parent 883c1e9907
1 changed files with 8 additions and 8 deletions
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@ -119,14 +119,14 @@ module Homebrew
        url_sha256 = Digest::SHA256.hexdigest(bottle.url)
        subject = "#{url_sha256}--#{bottle.filename}"

-        # We don't pass in a signing worfklow for backfill signatures because
-        # some backfilled bottle signatures were signed from a branch, and others
-        # from main, so the signing workflow is slightly different which causes
-        # some bottles to incorrectly fail when checking their attestation.
-        # This shouldn't meaningfully affect security because if somehow someone
-        # could generate false backfill attestations from a different workflow
-        # we will still catch it because the attestation would have been
-        # generated after our cutoff date.
+        # We don't pass in a signing workflow for backfill signatures because
+        # some backfilled bottle signatures were signed from the 'backfill'
+        # branch, and others from 'main', so the signing workflow is slightly
+        # different which causes some bottles to incorrectly fail when checking
+        # their attestation. This shouldn't meaningfully affect security
+        # because if somehow someone could generate false backfill attestations
+        # from a different workflow we will still catch it because the
+        # attestation would have been generated after our cutoff date.
        backfill_attestation = check_attestation bottle, BACKFILL_REPO, nil, subject
        timestamp = backfill_attestation.dig("verificationResult", "verifiedTimestamps",
                                             0, "timestamp")