From 1264388ea922372841879383fa6d1c421b39fdca Mon Sep 17 00:00:00 2001
From: David Dworken <david@daviddworken.com>
Date: Sun, 5 Nov 2023 12:57:58 -0800
Subject: [PATCH] Swap post-release validation to happen in a dedicated python
 script

---
 .github/workflows/slsa-releaser.yml         |  9 +---
 scripts/actions-validate-macos-signature.py | 15 ------
 scripts/actions-validate.py                 | 53 +++++++++++++++++++++
 3 files changed, 54 insertions(+), 23 deletions(-)
 delete mode 100644 scripts/actions-validate-macos-signature.py
 create mode 100644 scripts/actions-validate.py

diff --git a/.github/workflows/slsa-releaser.yml b/.github/workflows/slsa-releaser.yml
index 4dd8313..fe46b5c 100644
--- a/.github/workflows/slsa-releaser.yml
+++ b/.github/workflows/slsa-releaser.yml
@@ -214,12 +214,5 @@ jobs:
       - name: Validate Release
         run: |
           go build; ./hishtory install
-          # Validate SLSA attestations
-          ./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
-          ./hishtory validate-binary hishtory-linux-arm64 hishtory-linux-arm64.intoto.jsonl
-          ./hishtory validate-binary hishtory-darwin-amd64 hishtory-darwin-amd64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-amd64-unsigned
-          ./hishtory validate-binary hishtory-darwin-arm64 hishtory-darwin-arm64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-arm64-unsigned
-          # Validate MacOS signatures
-          python3 scripts/actions-validate-macos-signature.py hishtory-darwin-amd64
-          python3 scripts/actions-validate-macos-signature.py hishtory-darwin-arm64
+          python3 scripts/actions-validate.py
           # TODO: Run validation using hishtory built at HEAD too
\ No newline at end of file
diff --git a/scripts/actions-validate-macos-signature.py b/scripts/actions-validate-macos-signature.py
deleted file mode 100644
index f46382f..0000000
--- a/scripts/actions-validate-macos-signature.py
+++ /dev/null
@@ -1,15 +0,0 @@
-import subprocess
-import shutil
-import sys 
-
-def main():
-    assert shutil.which('codesign') is not None 
-    out = subprocess.check_output(["codesign", "-dv", "--verbose=4", sys.argv[1]], stderr=subprocess.STDOUT).decode('utf-8')
-    print("="*80+f"\nCodesign Output: \n{out}\n\n")
-    assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
-    assert "Authority=Developer ID Certification Authority" in out
-    assert "Authority=Apple Root CA" in out 
-    assert "TeamIdentifier=QUXLNCT7FA" in out 
-
-if __name__ == '__main__':
-    main()
\ No newline at end of file
diff --git a/scripts/actions-validate.py b/scripts/actions-validate.py
new file mode 100644
index 0000000..d713ccd
--- /dev/null
+++ b/scripts/actions-validate.py
@@ -0,0 +1,53 @@
+import subprocess
+import shutil
+import sys 
+import os 
+
+ALL_FILES = ['hishtory-linux-amd64', 'hishtory-linux-arm64', 'hishtory-darwin-amd64', 'hishtory-darwin-arm64']
+
+def validate_slsa(hishtory_binary: str) -> None:
+    assert os.path.exists(hishtory_binary)
+    for filename in ALL_FILES:
+        print(f"Validating {filename} with {hishtory_binary=}")
+        assert os.path.exists(filename)
+        slsa_attestation_file = filename + ".intoto.jsonl"
+        assert os.path.exists(slsa_attestation_file)
+        if "darwin" in filename:
+            unsigned_filename = f"{filename}-unsigned"
+            assert os.path.exists(unsigned_filename)
+            out = subprocess.check_output([
+                hishtory_binary, 
+                "validate-binary",
+                filename, 
+                slsa_attestation_file, 
+                "--is_macos=True", 
+                f"--macos_unsigned_binary={unsigned_filename}"
+            ]).decode('utf-8')
+        else:
+            out = subprocess.check_output([
+                hishtory_binary, 
+                "validate-binary", 
+                filename, 
+                slsa_attestation_file
+            ]).decode('utf-8')
+        assert "Verified signature against tlog entry" in out, out
+        assert "Verified build using builder" in out, out
+
+
+def validate_macos_signature(filename: str) -> None:
+    assert shutil.which('codesign') is not None 
+    out = subprocess.check_output(["codesign", "-dv", "--verbose=4", filename], stderr=subprocess.STDOUT).decode('utf-8')
+    print("="*80+f"\nCodesign Output: \n{out}\n\n")
+    assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
+    assert "Authority=Developer ID Certification Authority" in out
+    assert "Authority=Apple Root CA" in out 
+    assert "TeamIdentifier=QUXLNCT7FA" in out 
+
+def main() -> None:
+    for filename in ALL_FILES:
+        if "darwin" in filename:
+            validate_macos_signature(filename)
+    validate_slsa("./hishtory")
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file