hishtory/scripts/actions-validate.py

from re import sub
import subprocess
import shutil
import sys 
import os 

ALL_FILES = ['hishtory-linux-amd64', 'hishtory-linux-arm64', 'hishtory-darwin-amd64', 'hishtory-darwin-arm64']

def validate_slsa(hishtory_binary: str) -> None:
    assert os.path.exists(hishtory_binary)
    subprocess.check_output(['chmod', "+x", hishtory_binary])
    for filename in ALL_FILES:
        try:
            print(f"Validating {filename} with {hishtory_binary=}")
            assert os.path.exists(filename)
            slsa_attestation_file = filename + ".intoto.jsonl"
            assert os.path.exists(slsa_attestation_file)
            if "darwin" in filename:
                unsigned_filename = f"{filename}-unsigned"
                assert os.path.exists(unsigned_filename)
                out = subprocess.check_output([
                    hishtory_binary, 
                    "validate-binary",
                    filename, 
                    slsa_attestation_file, 
                    "--is_macos=True", 
                    f"--macos_unsigned_binary={unsigned_filename}"
                ], stderr=subprocess.STDOUT).decode('utf-8')
            else:
                out = subprocess.check_output([
                    hishtory_binary, 
                    "validate-binary", 
                    filename, 
                    slsa_attestation_file
                ], stderr=subprocess.STDOUT).decode('utf-8')
            assert "Verified signature against tlog entry" in out, out
            assert "Verified build using builder" in out, out
        except subprocess.CalledProcessError as e:
            print(f"subprocess.CalledProcessError: stdout={repr(e.stdout)}")
            raise e

def validate_macos_signature(filename: str) -> None:
    assert shutil.which('codesign') is not None 
    out = subprocess.check_output(["codesign", "-dv", "--verbose=4", filename], stderr=subprocess.STDOUT).decode('utf-8')
    print("="*80+f"\nCodesign Output: \n{out}\n\n")
    assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
    assert "Authority=Developer ID Certification Authority" in out
    assert "Authority=Apple Root CA" in out 
    assert "TeamIdentifier=QUXLNCT7FA" in out 

def validate_hishtory_status(filename: str, deep_validation: bool) -> None:
    assert os.path.exists(filename)
    subprocess.check_output(['chmod', "+x", filename])
    status = subprocess.check_output([filename, "status", "-v"]).decode('utf-8')
    if deep_validation:
        git_hash = os.environ['GITHUB_SHA']
        assert git_hash, git_hash
        assert f"Commit Hash: {git_hash}" in status, status 
        assert os.path.exists('VERSION')
        with open('VERSION') as f:
            version = "v0." + f.read().strip()
        assert f"hiSHtory: {version}" in status, status
    else:
        assert "hiSHtory: " in status, status

def main() -> None:
    print("Starting validation of MacOS signatures")
    for filename in ALL_FILES:
        if "darwin" in filename:
            validate_macos_signature(filename)
    print("Starting validation of SLSA attestations")
    validate_slsa("./hishtory-darwin-amd64") 
    validate_slsa(os.path.expanduser("~/.hishtory/hishtory"))
    print("Validating other metadata")
    validate_hishtory_status("./hishtory-darwin-amd64", True)
    validate_hishtory_status(os.path.expanduser("~/.hishtory/hishtory"), False)

if __name__ == '__main__':
    main()
Add validation of hishtory status 2023-11-09 03:25:29 +01:00			`from re import sub`
Swap post-release validation to happen in a dedicated python script 2023-11-05 21:57:58 +01:00			`import subprocess`
			`import shutil`
			`import sys`
			`import os`

			`ALL_FILES = ['hishtory-linux-amd64', 'hishtory-linux-arm64', 'hishtory-darwin-amd64', 'hishtory-darwin-arm64']`

			`def validate_slsa(hishtory_binary: str) -> None:`
			`assert os.path.exists(hishtory_binary)`
Add SLSA validation with current binary built by SLSA 2024-03-25 05:48:01 +01:00			`subprocess.check_output(['chmod', "+x", hishtory_binary])`
Swap post-release validation to happen in a dedicated python script 2023-11-05 21:57:58 +01:00			`for filename in ALL_FILES:`
Add debugging information about subprocess errors when prevalidating releases 2023-11-06 02:16:42 +01:00			`try:`
			`print(f"Validating {filename} with {hishtory_binary=}")`
			`assert os.path.exists(filename)`
			`slsa_attestation_file = filename + ".intoto.jsonl"`
			`assert os.path.exists(slsa_attestation_file)`
			`if "darwin" in filename:`
			`unsigned_filename = f"{filename}-unsigned"`
			`assert os.path.exists(unsigned_filename)`
			`out = subprocess.check_output([`
			`hishtory_binary,`
			`"validate-binary",`
			`filename,`
			`slsa_attestation_file,`
			`"--is_macos=True",`
			`f"--macos_unsigned_binary={unsigned_filename}"`
			`], stderr=subprocess.STDOUT).decode('utf-8')`
			`else:`
			`out = subprocess.check_output([`
			`hishtory_binary,`
			`"validate-binary",`
			`filename,`
			`slsa_attestation_file`
			`], stderr=subprocess.STDOUT).decode('utf-8')`
			`assert "Verified signature against tlog entry" in out, out`
			`assert "Verified build using builder" in out, out`
			`except subprocess.CalledProcessError as e:`
			`print(f"subprocess.CalledProcessError: stdout={repr(e.stdout)}")`
			`raise e`
Swap post-release validation to happen in a dedicated python script 2023-11-05 21:57:58 +01:00
			`def validate_macos_signature(filename: str) -> None:`
			`assert shutil.which('codesign') is not None`
			`out = subprocess.check_output(["codesign", "-dv", "--verbose=4", filename], stderr=subprocess.STDOUT).decode('utf-8')`
			`print("="*80+f"\nCodesign Output: \n{out}\n\n")`
			`assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out`
			`assert "Authority=Developer ID Certification Authority" in out`
			`assert "Authority=Apple Root CA" in out`
			`assert "TeamIdentifier=QUXLNCT7FA" in out`

Add basic validation using the published version of hishtory too 2023-12-21 02:27:06 +01:00			`def validate_hishtory_status(filename: str, deep_validation: bool) -> None:`
Add validation of hishtory status 2023-11-09 03:25:29 +01:00			`assert os.path.exists(filename)`
Add chmod +x so that we can run hishtory status 2023-11-09 04:26:00 +01:00			`subprocess.check_output(['chmod', "+x", filename])`
Add validation of hishtory status 2023-11-09 03:25:29 +01:00			`status = subprocess.check_output([filename, "status", "-v"]).decode('utf-8')`
Add basic validation using the published version of hishtory too 2023-12-21 02:27:06 +01:00			`if deep_validation:`
			`git_hash = os.environ['GITHUB_SHA']`
			`assert git_hash, git_hash`
			`assert f"Commit Hash: {git_hash}" in status, status`
			`assert os.path.exists('VERSION')`
			`with open('VERSION') as f:`
			`version = "v0." + f.read().strip()`
			`assert f"hiSHtory: {version}" in status, status`
			`else:`
			`assert "hiSHtory: " in status, status`
Add validation of hishtory status 2023-11-09 03:25:29 +01:00
Swap post-release validation to happen in a dedicated python script 2023-11-05 21:57:58 +01:00			`def main() -> None:`
Add debug prints to make reading the output easier 2023-11-05 23:10:03 +01:00			`print("Starting validation of MacOS signatures")`
Swap post-release validation to happen in a dedicated python script 2023-11-05 21:57:58 +01:00			`for filename in ALL_FILES:`
			`if "darwin" in filename:`
			`validate_macos_signature(filename)`
Revert "Add SLSA attestation validation with latest released hishtory binary too" because the released binary doesn't support the validate-binary subcommand yet This reverts commit 259f6b785865453e793c06145d6fbdd42446b2fa. 2023-11-06 03:05:20 +01:00			`print("Starting validation of SLSA attestations")`
Add SLSA validation with current binary built by SLSA 2024-03-25 05:48:01 +01:00			`validate_slsa("./hishtory-darwin-amd64")`
Add SLSA attestation pre-validation with released hishtory version 2023-11-09 05:23:24 +01:00			`validate_slsa(os.path.expanduser("~/.hishtory/hishtory"))`
Add validation of hishtory status 2023-11-09 03:25:29 +01:00			`print("Validating other metadata")`
Add basic validation using the published version of hishtory too 2023-12-21 02:27:06 +01:00			`validate_hishtory_status("./hishtory-darwin-amd64", True)`
Expand user path before attempting validation 2023-12-21 21:22:11 +01:00			`validate_hishtory_status(os.path.expanduser("~/.hishtory/hishtory"), False)`
Swap post-release validation to happen in a dedicated python script 2023-11-05 21:57:58 +01:00
			`if __name__ == '__main__':`
			`main()`