fix(backend): skip GitHub API call for cosign when disabled or unconfigured#8753
fix(backend): skip GitHub API call for cosign when disabled or unconfigured#8753
Conversation
…igured When installing with --locked, the aqua backend was unconditionally downloading the checksum file via the GitHub Releases API to support cosign verification, even when: - The cosign setting was disabled - The package had no cosign configuration - The lockfile already contained the checksum This caused API calls that defeated the purpose of --locked mode, leading to rate limit errors and failures in air-gapped environments. Now `needs_cosign` checks both the `aqua.cosign` setting and whether the package actually has cosign configured before triggering the checksum file download. Fixes #8677 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request optimizes the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the needs_cosign logic within the AquaBackend implementation in src/backend/aqua.rs to incorporate additional checks from settings and package checksums. A review comment suggests an improvement to simplify the condition by directly using an already bound checksum variable for better conciseness and to avoid redundant access.
| let needs_cosign = !skip_cosign | ||
| && Settings::get().aqua.cosign | ||
| && pkg | ||
| .checksum | ||
| .as_ref() | ||
| .and_then(|c| c.cosign.as_ref()) | ||
| .is_some_and(|c| c.enabled != Some(false)); |
There was a problem hiding this comment.
Since this code is inside an if let Some(checksum) = &pkg.checksum block, you can simplify this condition by using the checksum variable directly instead of accessing pkg.checksum again. This makes the code more concise and avoids redundant access.
| let needs_cosign = !skip_cosign | |
| && Settings::get().aqua.cosign | |
| && pkg | |
| .checksum | |
| .as_ref() | |
| .and_then(|c| c.cosign.as_ref()) | |
| .is_some_and(|c| c.enabled != Some(false)); | |
| let needs_cosign = !skip_cosign | |
| && Settings::get().aqua.cosign | |
| && checksum.cosign.as_ref().is_some_and(|c| c.enabled != Some(false)); |
Greptile SummaryThis PR fixes a regression where Changes:
The new condition is semantically aligned with the early-exit guards already inside Confidence Score: 5/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[verify_provenance called] --> B{pkg.checksum present\nand enabled?}
B -- No --> Z[return Ok]
B -- Yes --> C{needs_checksum?}
C -- Yes --> D[needs_checksum = true]
C -- No --> E{Settings::get.aqua.cosign?}
E -- No --> F[needs_cosign = false]
E -- Yes --> G{checksum.cosign\npresent and not disabled?}
G -- No --> F
G -- Yes --> H[needs_cosign = true]
D --> I{needs_checksum OR\nneeds_cosign and not already verified}
F --> I
H --> I
I -- Yes, file not cached --> J[Download checksum file\nGitHub Release / HTTP]
I -- No OR file cached --> K{needs_cosign and\nnot cosign_already_verified?}
J --> K
K -- Yes --> L[cosign_checksums\nverify signature]
K -- No --> M{needs_checksum?}
L --> M
M -- Yes --> N[parse_checksum_from_content\nupdate lock_platforms]
M -- No --> Z
Reviews (2): Last reviewed commit: "fix(backend): address PR review feedback..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.15 x -- echo |
24.7 ± 0.6 | 23.5 | 28.4 | 1.01 ± 0.04 |
mise x -- echo |
24.5 ± 0.8 | 23.0 | 36.6 | 1.00 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.15 env |
24.4 ± 0.9 | 22.4 | 30.5 | 1.02 ± 0.04 |
mise env |
24.0 ± 0.6 | 22.1 | 26.5 | 1.00 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.15 hook-env |
24.8 ± 0.7 | 22.8 | 27.5 | 1.01 ± 0.05 |
mise hook-env |
24.5 ± 0.9 | 22.5 | 37.8 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.15 ls |
24.3 ± 1.0 | 22.5 | 36.1 | 1.00 |
mise ls |
24.7 ± 0.8 | 21.9 | 26.8 | 1.02 ± 0.05 |
xtasks/test/perf
| Command | mise-2026.3.15 | mise | Variance |
|---|---|---|---|
| install (cached) | 160ms | 159ms | +0% |
| ls (cached) | 86ms | 83ms | +3% |
| bin-paths (cached) | 89ms | 88ms | +1% |
| task-ls (cached) | 839ms | 820ms | +2% |
Use already-bound `checksum` variable instead of redundant `pkg.checksum.as_ref()` access, and use `needs_cosign` instead of `!skip_cosign` to guard the `cosign_checksums` call for consistency. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
### 🐛 Bug Fixes - **(backend)** skip GitHub API call for cosign when disabled or unconfigured by @jdx in [#8753](#8753) ## 📦 Aqua Registry Updates #### New Packages (1) - [`wasm-bindgen/wasm-pack`](https://github.com/wasm-bindgen/wasm-pack) #### Updated Packages (10) - [`Songmu/maltmill`](https://github.com/Songmu/maltmill) - [`adhocteam/ssm`](https://github.com/adhocteam/ssm) - [`cnosuke/kushi`](https://github.com/cnosuke/kushi) - [`goark/depm`](https://github.com/goark/depm) - [`google/go-jsonnet`](https://github.com/google/go-jsonnet) - [`ipld/go-car`](https://github.com/ipld/go-car) - [`nao1215/sqly`](https://github.com/nao1215/sqly) - [`sharkdp/vivid`](https://github.com/sharkdp/vivid) - [`terraprovider/statebridge`](https://github.com/terraprovider/statebridge) - [`zerocore-ai/microsandbox`](https://github.com/zerocore-ai/microsandbox)
|
@jdx
[tools]
gh = "2.88.0"
jq = "1.8.1"
node = "24"
pnpm = "10.31"
uv = "0.11.1"$ mise config ls
Path Tools
[redacted, it's the mise.toml from above] gh, jq, node, pnpm, uv Or is this something else? Here's my Details# @generated - this file is auto-generated by `mise lock` https://mise.jdx.dev/dev-tools/mise-lock.html[[tools.gh]] [tools.gh."platforms.linux-arm64"] [tools.gh."platforms.linux-arm64-musl"] [tools.gh."platforms.linux-x64"] [tools.gh."platforms.linux-x64-musl"] [tools.gh."platforms.macos-arm64"] [tools.gh."platforms.macos-x64"] [tools.gh."platforms.windows-x64"] [[tools.jq]] [tools.jq."platforms.linux-arm64"] [tools.jq."platforms.linux-arm64-musl"] [tools.jq."platforms.linux-x64"] [tools.jq."platforms.linux-x64-musl"] [tools.jq."platforms.macos-arm64"] [tools.jq."platforms.macos-x64"] [tools.jq."platforms.windows-x64"] [[tools.node]] [tools.node."platforms.linux-arm64"] [tools.node."platforms.linux-arm64-musl"] [tools.node."platforms.linux-x64"] [tools.node."platforms.linux-x64-musl"] [tools.node."platforms.macos-arm64"] [tools.node."platforms.macos-x64"] [tools.node."platforms.windows-x64"] [[tools.pnpm]] [tools.pnpm."platforms.linux-arm64"] [tools.pnpm."platforms.linux-arm64-musl"] [tools.pnpm."platforms.linux-x64"] [tools.pnpm."platforms.linux-x64-musl"] [tools.pnpm."platforms.macos-arm64"] [tools.pnpm."platforms.macos-x64"] [tools.pnpm."platforms.windows-x64"] [[tools.uv]] [tools.uv."platforms.linux-arm64"] [tools.uv."platforms.linux-arm64-musl"] [tools.uv."platforms.linux-x64"] [tools.uv."platforms.linux-x64-musl"] [tools.uv."platforms.macos-arm64"] [tools.uv."platforms.macos-x64"] [tools.uv."platforms.windows-x64"] |
2 participants
Summary
mise install --lockedmaking unnecessary GitHub Releases API calls even when the lockfile has pre-resolved URLs and checksumsneeds_cosignflag inverify_provenance()was unconditionally true, triggering a checksum file download viagithub_release_asset()→github::get_release()even when cosign was disabled or the package had no cosign configsettings.aqua.cosignand whether the package has cosign configured before downloadingFixes #8677
Test plan
mise install --lockedwithapi.github.comredirected to invalid host → DNS errorcargo test— all 546 unit tests pass🤖 Generated with Claude Code
Note
Medium Risk
Touches provenance/verification flow in
AquaBackend::verify_provenance, so a logic mistake could inadvertently skip expected cosign checks or lockfile provenance updates. Change is small and gated by settings/config, reducing likelihood of broad impact.Overview
Prevents unnecessary checksum-file downloads (and resulting GitHub Releases API calls) during
aquainstalls by tightening when cosign verification is considered needed.needs_cosignis now true only when cosign is not skipped by lockfile provenance,settings.aqua.cosignis enabled, and the package’schecksum.cosignconfig exists and isn’t disabled; the subsequent cosign execution check is updated to use this flag.Written by Cursor Bugbot for commit 425f965. This will update automatically on new commits. Configure here.