mirror of
https://github.com/ddworken/hishtory.git
synced 2024-10-05 01:42:03 +02:00
Add validation of macos signatures
This commit is contained in:
parent
0eb362e123
commit
9834c6f492
7
.github/workflows/slsa-releaser.yml
vendored
7
.github/workflows/slsa-releaser.yml
vendored
@ -214,9 +214,12 @@ jobs:
|
||||
- name: Validate Release
|
||||
run: |
|
||||
go build; ./hishtory install
|
||||
# curl https://hishtory.dev/install.py | python3 -
|
||||
# Validate SLSA attestations
|
||||
./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
|
||||
./hishtory validate-binary hishtory-linux-arm64 hishtory-linux-arm64.intoto.jsonl
|
||||
./hishtory validate-binary hishtory-darwin-amd64 hishtory-darwin-amd64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-amd64-unsigned
|
||||
./hishtory validate-binary hishtory-darwin-arm64 hishtory-darwin-arm64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-arm64-unsigned
|
||||
# TODO: Validate other binaries here
|
||||
# Validate MacOS signatures
|
||||
python3 scripts/actions-validate-macos-signature.py hishtory-darwin-amd64
|
||||
python3 scripts/actions-validate-macos-signature.py hishtory-darwin-arm64
|
||||
# TODO: Run validation using hishtory built at HEAD too
|
15
scripts/actions-validate-macos-signature.py
Normal file
15
scripts/actions-validate-macos-signature.py
Normal file
@ -0,0 +1,15 @@
|
||||
import subprocess
|
||||
import shutil
|
||||
import sys
|
||||
|
||||
def main():
|
||||
assert shutil.which('codesign') is not None
|
||||
out = subprocess.check_output(["codesign", "-dv", "--verbose=4", sys.argv[1]], stderr=subprocess.STDOUT).decode('utf-8')
|
||||
print("="*80+f"\nCodesign Output: \n{out}\n\n")
|
||||
assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
|
||||
assert "Authority=Developer ID Certification Authority" in out
|
||||
assert "Authority=Apple Root CA" in out
|
||||
assert "TeamIdentifier=QUXLNCT7FA" in out
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
Loading…
Reference in New Issue
Block a user