Swap post-release validation to happen in a dedicated python script

.github/workflows/slsa-releaser.yml

@@ -214,12 +214,5 @@ jobs:
       - name: Validate Release
         run: |
           go build; ./hishtory install
-          # Validate SLSA attestations
-          ./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
-          ./hishtory validate-binary hishtory-linux-arm64 hishtory-linux-arm64.intoto.jsonl
-          ./hishtory validate-binary hishtory-darwin-amd64 hishtory-darwin-amd64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-amd64-unsigned
-          ./hishtory validate-binary hishtory-darwin-arm64 hishtory-darwin-arm64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-arm64-unsigned
-          # Validate MacOS signatures
-          python3 scripts/actions-validate-macos-signature.py hishtory-darwin-amd64
-          python3 scripts/actions-validate-macos-signature.py hishtory-darwin-arm64
+          python3 scripts/actions-validate.py
           # TODO: Run validation using hishtory built at HEAD too

scripts/actions-validate-macos-signature.py

@@ -1,15 +0,0 @@
-import subprocess
-import shutil
-import sys 
-
-def main():
-    assert shutil.which('codesign') is not None 
-    out = subprocess.check_output(["codesign", "-dv", "--verbose=4", sys.argv[1]], stderr=subprocess.STDOUT).decode('utf-8')
-    print("="*80+f"\nCodesign Output: \n{out}\n\n")
-    assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
-    assert "Authority=Developer ID Certification Authority" in out
-    assert "Authority=Apple Root CA" in out 
-    assert "TeamIdentifier=QUXLNCT7FA" in out 
-
-if __name__ == '__main__':
-    main()

scripts/actions-validate.py

@@ -0,0 +1,53 @@
+import subprocess
+import shutil
+import sys 
+import os 
+
+ALL_FILES = ['hishtory-linux-amd64', 'hishtory-linux-arm64', 'hishtory-darwin-amd64', 'hishtory-darwin-arm64']
+
+def validate_slsa(hishtory_binary: str) -> None:
+    assert os.path.exists(hishtory_binary)
+    for filename in ALL_FILES:
+        print(f"Validating {filename} with {hishtory_binary=}")
+        assert os.path.exists(filename)
+        slsa_attestation_file = filename + ".intoto.jsonl"
+        assert os.path.exists(slsa_attestation_file)
+        if "darwin" in filename:
+            unsigned_filename = f"{filename}-unsigned"
+            assert os.path.exists(unsigned_filename)
+            out = subprocess.check_output([
+                hishtory_binary, 
+                "validate-binary",
+                filename, 
+                slsa_attestation_file, 
+                "--is_macos=True", 
+                f"--macos_unsigned_binary={unsigned_filename}"
+            ]).decode('utf-8')
+        else:
+            out = subprocess.check_output([
+                hishtory_binary, 
+                "validate-binary", 
+                filename, 
+                slsa_attestation_file
+            ]).decode('utf-8')
+        assert "Verified signature against tlog entry" in out, out
+        assert "Verified build using builder" in out, out
+
+
+def validate_macos_signature(filename: str) -> None:
+    assert shutil.which('codesign') is not None 
+    out = subprocess.check_output(["codesign", "-dv", "--verbose=4", filename], stderr=subprocess.STDOUT).decode('utf-8')
+    print("="*80+f"\nCodesign Output: \n{out}\n\n")
+    assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
+    assert "Authority=Developer ID Certification Authority" in out
+    assert "Authority=Apple Root CA" in out 
+    assert "TeamIdentifier=QUXLNCT7FA" in out 
+
+def main() -> None:
+    for filename in ALL_FILES:
+        if "darwin" in filename:
+            validate_macos_signature(filename)
+    validate_slsa("./hishtory")
+
+if __name__ == '__main__':
+    main()