mirror of
https://github.com/ddworken/hishtory.git
synced 2024-11-29 11:44:53 +01:00
Swap post-release validation to happen in a dedicated python script
This commit is contained in:
parent
9834c6f492
commit
1264388ea9
9
.github/workflows/slsa-releaser.yml
vendored
9
.github/workflows/slsa-releaser.yml
vendored
@ -214,12 +214,5 @@ jobs:
|
||||
- name: Validate Release
|
||||
run: |
|
||||
go build; ./hishtory install
|
||||
# Validate SLSA attestations
|
||||
./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
|
||||
./hishtory validate-binary hishtory-linux-arm64 hishtory-linux-arm64.intoto.jsonl
|
||||
./hishtory validate-binary hishtory-darwin-amd64 hishtory-darwin-amd64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-amd64-unsigned
|
||||
./hishtory validate-binary hishtory-darwin-arm64 hishtory-darwin-arm64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-arm64-unsigned
|
||||
# Validate MacOS signatures
|
||||
python3 scripts/actions-validate-macos-signature.py hishtory-darwin-amd64
|
||||
python3 scripts/actions-validate-macos-signature.py hishtory-darwin-arm64
|
||||
python3 scripts/actions-validate.py
|
||||
# TODO: Run validation using hishtory built at HEAD too
|
@ -1,15 +0,0 @@
|
||||
import subprocess
|
||||
import shutil
|
||||
import sys
|
||||
|
||||
def main():
|
||||
assert shutil.which('codesign') is not None
|
||||
out = subprocess.check_output(["codesign", "-dv", "--verbose=4", sys.argv[1]], stderr=subprocess.STDOUT).decode('utf-8')
|
||||
print("="*80+f"\nCodesign Output: \n{out}\n\n")
|
||||
assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
|
||||
assert "Authority=Developer ID Certification Authority" in out
|
||||
assert "Authority=Apple Root CA" in out
|
||||
assert "TeamIdentifier=QUXLNCT7FA" in out
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
53
scripts/actions-validate.py
Normal file
53
scripts/actions-validate.py
Normal file
@ -0,0 +1,53 @@
|
||||
import subprocess
|
||||
import shutil
|
||||
import sys
|
||||
import os
|
||||
|
||||
ALL_FILES = ['hishtory-linux-amd64', 'hishtory-linux-arm64', 'hishtory-darwin-amd64', 'hishtory-darwin-arm64']
|
||||
|
||||
def validate_slsa(hishtory_binary: str) -> None:
|
||||
assert os.path.exists(hishtory_binary)
|
||||
for filename in ALL_FILES:
|
||||
print(f"Validating {filename} with {hishtory_binary=}")
|
||||
assert os.path.exists(filename)
|
||||
slsa_attestation_file = filename + ".intoto.jsonl"
|
||||
assert os.path.exists(slsa_attestation_file)
|
||||
if "darwin" in filename:
|
||||
unsigned_filename = f"{filename}-unsigned"
|
||||
assert os.path.exists(unsigned_filename)
|
||||
out = subprocess.check_output([
|
||||
hishtory_binary,
|
||||
"validate-binary",
|
||||
filename,
|
||||
slsa_attestation_file,
|
||||
"--is_macos=True",
|
||||
f"--macos_unsigned_binary={unsigned_filename}"
|
||||
]).decode('utf-8')
|
||||
else:
|
||||
out = subprocess.check_output([
|
||||
hishtory_binary,
|
||||
"validate-binary",
|
||||
filename,
|
||||
slsa_attestation_file
|
||||
]).decode('utf-8')
|
||||
assert "Verified signature against tlog entry" in out, out
|
||||
assert "Verified build using builder" in out, out
|
||||
|
||||
|
||||
def validate_macos_signature(filename: str) -> None:
|
||||
assert shutil.which('codesign') is not None
|
||||
out = subprocess.check_output(["codesign", "-dv", "--verbose=4", filename], stderr=subprocess.STDOUT).decode('utf-8')
|
||||
print("="*80+f"\nCodesign Output: \n{out}\n\n")
|
||||
assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
|
||||
assert "Authority=Developer ID Certification Authority" in out
|
||||
assert "Authority=Apple Root CA" in out
|
||||
assert "TeamIdentifier=QUXLNCT7FA" in out
|
||||
|
||||
def main() -> None:
|
||||
for filename in ALL_FILES:
|
||||
if "darwin" in filename:
|
||||
validate_macos_signature(filename)
|
||||
validate_slsa("./hishtory")
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
Loading…
Reference in New Issue
Block a user