Add validation of macos signatures

2024-10-05 01:42:03 +02:00 · 2023-11-05 12:42:00 -08:00 · 2023-11-05 12:42:00 -08:00 · 9834c6f492
commit 9834c6f492
parent 0eb362e123
2 changed files with 20 additions and 2 deletions
--- a/.github/workflows/slsa-releaser.yml
+++ b/.github/workflows/slsa-releaser.yml
@ -214,9 +214,12 @@ jobs:
      - name: Validate Release
        run: |
          go build; ./hishtory install
-          # curl https://hishtory.dev/install.py | python3 -
+          # Validate SLSA attestations
          ./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
          ./hishtory validate-binary hishtory-linux-arm64 hishtory-linux-arm64.intoto.jsonl
          ./hishtory validate-binary hishtory-darwin-amd64 hishtory-darwin-amd64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-amd64-unsigned
          ./hishtory validate-binary hishtory-darwin-arm64 hishtory-darwin-arm64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-arm64-unsigned
-          # TODO: Validate other binaries here
+          # Validate MacOS signatures
+          python3 scripts/actions-validate-macos-signature.py hishtory-darwin-amd64
+          python3 scripts/actions-validate-macos-signature.py hishtory-darwin-arm64
+          # TODO: Run validation using hishtory built at HEAD too
--- a/scripts/actions-validate-macos-signature.py
+++ b/scripts/actions-validate-macos-signature.py
@ -0,0 +1,15 @@
+import subprocess
+import shutil
+import sys 
+
+def main():
+    assert shutil.which('codesign') is not None 
+    out = subprocess.check_output(["codesign", "-dv", "--verbose=4", sys.argv[1]], stderr=subprocess.STDOUT).decode('utf-8')
+    print("="*80+f"\nCodesign Output: \n{out}\n\n")
+    assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out
+    assert "Authority=Developer ID Certification Authority" in out
+    assert "Authority=Apple Root CA" in out 
+    assert "TeamIdentifier=QUXLNCT7FA" in out 
+
+if __name__ == '__main__':
+    main()