hishtory/client/lib/slsa.go

package lib

import (
	"context"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"io"
	"os"
	"strconv"
	"strings"

	"github.com/slsa-framework/slsa-verifier/options"
	"github.com/slsa-framework/slsa-verifier/verifiers"
)

func verify(ctx *context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {
	provenanceOpts := &options.ProvenanceOpts{
		ExpectedSourceURI:    source,
		ExpectedBranch:       &branch,
		ExpectedDigest:       artifactHash,
		ExpectedVersionedTag: &versionTag,
	}
	builderOpts := &options.BuilderOpts{}
	_, _, err := verifiers.Verify(*ctx, provenance, artifactHash, provenanceOpts, builderOpts)
	return err
}

func checkForDowngrade(currentVersionS, newVersionS string) error {
	currentVersion, err := strconv.Atoi(strings.TrimPrefix(currentVersionS, "v0."))
	if err != nil {
		return fmt.Errorf("failed to parse current version %#v", currentVersionS)
	}
	newVersion, err := strconv.Atoi(strings.TrimPrefix(newVersionS, "v0."))
	if err != nil {
		return fmt.Errorf("failed to parse updated version %#v", newVersionS)
	}
	if currentVersion > newVersion {
		return fmt.Errorf("failed to update because the new version (%#v) is a downgrade compared to the current version (%#v)", newVersionS, currentVersionS)
	}
	return nil
}

func verifyBinary(ctx *context.Context, binaryPath, attestationPath, versionTag string) error {
	if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" {
		return nil
	}

	if err := checkForDowngrade(Version, versionTag); err != nil && os.Getenv("HISHTORY_ALLOW_DOWNGRADE") == "true" {
		return err
	}

	attestation, err := os.ReadFile(attestationPath)
	if err != nil {
		return fmt.Errorf("failed to read attestation file: %v", err)
	}

	hash, err := getFileHash(binaryPath)
	if err != nil {
		return err
	}

	return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)
}

func getFileHash(binaryPath string) (string, error) {
	binaryFile, err := os.Open(binaryPath)
	if err != nil {
		return "", fmt.Errorf("failed to read binary for verification purposes: %v", err)
	}
	defer binaryFile.Close()

	hasher := sha256.New()
	if _, err := io.Copy(hasher, binaryFile); err != nil {
		return "", fmt.Errorf("failed to hash binary: %v", err)
	}
	hash := hex.EncodeToString(hasher.Sum(nil))
	return hash, nil
}
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`package lib`

			`import (`
			`"context"`
			`"crypto/sha256"`
			`"encoding/hex"`
			`"fmt"`
			`"io"`
			`"os"`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`"strconv"`
			`"strings"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`"github.com/slsa-framework/slsa-verifier/options"`
			`"github.com/slsa-framework/slsa-verifier/verifiers"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`)`

Pipe ctx into the slsa code to avoid context.TODO() 2022-09-22 05:22:34 +02:00			`func verify(ctx *context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {`
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`provenanceOpts := &options.ProvenanceOpts{`
			`ExpectedSourceURI: source,`
			`ExpectedBranch: &branch,`
			`ExpectedDigest: artifactHash,`
			`ExpectedVersionedTag: &versionTag,`
			`}`
			`builderOpts := &options.BuilderOpts{}`
Pass in ctx 2022-09-23 03:11:35 +02:00			`_, _, err := verifiers.Verify(*ctx, provenance, artifactHash, provenanceOpts, builderOpts)`
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`return err`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`

Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`func checkForDowngrade(currentVersionS, newVersionS string) error {`
			`currentVersion, err := strconv.Atoi(strings.TrimPrefix(currentVersionS, "v0."))`
			`if err != nil {`
			`return fmt.Errorf("failed to parse current version %#v", currentVersionS)`
			`}`
			`newVersion, err := strconv.Atoi(strings.TrimPrefix(newVersionS, "v0."))`
			`if err != nil {`
			`return fmt.Errorf("failed to parse updated version %#v", newVersionS)`
			`}`
			`if currentVersion > newVersion {`
			`return fmt.Errorf("failed to update because the new version (%#v) is a downgrade compared to the current version (%#v)", newVersionS, currentVersionS)`
			`}`
			`return nil`
			`}`

Pipe ctx into the slsa code to avoid context.TODO() 2022-09-22 05:22:34 +02:00			`func verifyBinary(ctx *context.Context, binaryPath, attestationPath, versionTag string) error {`
Working update code for macos 2022-05-27 08:45:08 +02:00			`if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" {`
			`return nil`
			`}`

Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`if err := checkForDowngrade(Version, versionTag); err != nil && os.Getenv("HISHTORY_ALLOW_DOWNGRADE") == "true" {`
			`return err`
			`}`

Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`attestation, err := os.ReadFile(attestationPath)`
			`if err != nil {`
			`return fmt.Errorf("failed to read attestation file: %v", err)`
			`}`

Working update code for macos 2022-05-27 08:45:08 +02:00			`hash, err := getFileHash(binaryPath)`
			`if err != nil {`
			`return err`
			`}`

Pipe ctx into the slsa code to avoid context.TODO() 2022-09-22 05:22:34 +02:00			`return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)`
Working update code for macos 2022-05-27 08:45:08 +02:00			`}`

			`func getFileHash(binaryPath string) (string, error) {`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`binaryFile, err := os.Open(binaryPath)`
			`if err != nil {`
Working update code for macos 2022-05-27 08:45:08 +02:00			`return "", fmt.Errorf("failed to read binary for verification purposes: %v", err)`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`
			`defer binaryFile.Close()`

			`hasher := sha256.New()`
			`if _, err := io.Copy(hasher, binaryFile); err != nil {`
Working update code for macos 2022-05-27 08:45:08 +02:00			`return "", fmt.Errorf("failed to hash binary: %v", err)`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`
			`hash := hex.EncodeToString(hasher.Sum(nil))`
Working update code for macos 2022-05-27 08:45:08 +02:00			`return hash, nil`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`