diff --git a/.github/workflows/slsa-releaser.yml b/.github/workflows/slsa-releaser.yml index 99b8e21..4dd8313 100644 --- a/.github/workflows/slsa-releaser.yml +++ b/.github/workflows/slsa-releaser.yml @@ -214,9 +214,12 @@ jobs: - name: Validate Release run: | go build; ./hishtory install - # curl https://hishtory.dev/install.py | python3 - + # Validate SLSA attestations ./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl ./hishtory validate-binary hishtory-linux-arm64 hishtory-linux-arm64.intoto.jsonl ./hishtory validate-binary hishtory-darwin-amd64 hishtory-darwin-amd64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-amd64-unsigned ./hishtory validate-binary hishtory-darwin-arm64 hishtory-darwin-arm64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-arm64-unsigned - # TODO: Validate other binaries here \ No newline at end of file + # Validate MacOS signatures + python3 scripts/actions-validate-macos-signature.py hishtory-darwin-amd64 + python3 scripts/actions-validate-macos-signature.py hishtory-darwin-arm64 + # TODO: Run validation using hishtory built at HEAD too \ No newline at end of file diff --git a/scripts/actions-validate-macos-signature.py b/scripts/actions-validate-macos-signature.py new file mode 100644 index 0000000..f46382f --- /dev/null +++ b/scripts/actions-validate-macos-signature.py @@ -0,0 +1,15 @@ +import subprocess +import shutil +import sys + +def main(): + assert shutil.which('codesign') is not None + out = subprocess.check_output(["codesign", "-dv", "--verbose=4", sys.argv[1]], stderr=subprocess.STDOUT).decode('utf-8') + print("="*80+f"\nCodesign Output: \n{out}\n\n") + assert "Authority=Developer ID Application: David Dworken (QUXLNCT7FA)" in out + assert "Authority=Developer ID Certification Authority" in out + assert "Authority=Apple Root CA" in out + assert "TeamIdentifier=QUXLNCT7FA" in out + +if __name__ == '__main__': + main() \ No newline at end of file