mirror of
https://github.com/ddworken/hishtory.git
synced 2025-06-27 07:22:29 +02:00
Maybe working xattr support for code signing
This commit is contained in:
parent
74caf87eda
commit
c79a510b9c
@ -247,7 +247,7 @@ func decrementVersionIfInvalid(initialVersion string) string {
|
||||
}
|
||||
|
||||
func assertValidUpdate(updateInfo shared.UpdateInfo) error {
|
||||
urls := []string{updateInfo.LinuxAmd64Url, updateInfo.LinuxAmd64AttestationUrl, updateInfo.DarwinAmd64Url, updateInfo.DarwinAmd64AttestationUrl, updateInfo.DarwinArm64Url, updateInfo.DarwinArm64AttestationUrl}
|
||||
urls := []string{updateInfo.LinuxAmd64Url, updateInfo.LinuxAmd64AttestationUrl, updateInfo.DarwinAmd64Url, updateInfo.DarwinAmd64AttestationUrl, updateInfo.DarwinArm64Url, updateInfo.DarwinArm64AttestationUrl, updateInfo.DarwinAmd64Xattr, updateInfo.DarwinAmd64Xattr}
|
||||
for _, url := range urls {
|
||||
resp, err := http.Get(url)
|
||||
if err != nil {
|
||||
@ -297,8 +297,10 @@ func buildUpdateInfo(version string) shared.UpdateInfo {
|
||||
LinuxAmd64AttestationUrl: fmt.Sprintf("https://github.com/ddworken/hishtory/releases/download/%s-linux-amd64/hishtory-linux-amd64.intoto.jsonl", version),
|
||||
DarwinAmd64Url: fmt.Sprintf("https://github.com/ddworken/hishtory/releases/download/%s-darwin-amd64/hishtory-darwin-amd64", version),
|
||||
DarwinAmd64AttestationUrl: fmt.Sprintf("https://github.com/ddworken/hishtory/releases/download/%s-darwin-amd64/hishtory-darwin-amd64.intoto.jsonl", version),
|
||||
DarwinAmd64Xattr: fmt.Sprintf("https://github.com/ddworken/hishtory/releases/download/%s-xattr/hishtory-darwin-amd64-xattr.json", version),
|
||||
DarwinArm64Url: fmt.Sprintf("https://github.com/ddworken/hishtory/releases/download/%s-darwin-arm64/hishtory-darwin-arm64", version),
|
||||
DarwinArm64AttestationUrl: fmt.Sprintf("https://github.com/ddworken/hishtory/releases/download/%s-darwin-arm64/hishtory-darwin-arm64.intoto.jsonl", version),
|
||||
DarwinArm64Xattr: fmt.Sprintf("https://github.com/ddworken/hishtory/releases/download/%s-xattr/hishtory-darwin-arm64-xattr.json", version),
|
||||
Version: version,
|
||||
}
|
||||
}
|
||||
|
@ -2,7 +2,6 @@ package lib
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
@ -14,7 +13,6 @@ import (
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"path"
|
||||
"regexp"
|
||||
"runtime"
|
||||
"strconv"
|
||||
"strings"
|
||||
@ -24,6 +22,8 @@ import (
|
||||
|
||||
_ "embed" // for embedding config.sh
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
|
||||
"github.com/glebarez/sqlite" // an alternate non-cgo-requiring sqlite driver
|
||||
"gorm.io/gorm"
|
||||
"gorm.io/gorm/logger"
|
||||
@ -719,52 +719,42 @@ func ApiPost(path, contentType string, data []byte) ([]byte, error) {
|
||||
return respBody, nil
|
||||
}
|
||||
|
||||
func parseXattr(xattrDump string) (map[string][]byte, error) {
|
||||
m := make(map[string][]byte)
|
||||
nextLineIsAttrName := true
|
||||
attrName := ""
|
||||
attrValue := make([]byte, 0)
|
||||
for _, line := range strings.Split(xattrDump, "\n") {
|
||||
if nextLineIsAttrName {
|
||||
attrName = line[:len(line)-1]
|
||||
nextLineIsAttrName = false
|
||||
} else {
|
||||
r := regexp.MustCompile("\\d{8} (?P<hex>([A-Z0-9]{2} )+)\\s+\\|[^\\s]+\\|")
|
||||
match := r.FindStringSubmatch(line)
|
||||
if match != nil {
|
||||
for i, name := range r.SubexpNames() {
|
||||
if name == "hex" {
|
||||
bytes, err := hex.DecodeString(strings.ReplaceAll(match[i], " ", ""))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to decode hex string %#v in xattr file: %v", match[i], err)
|
||||
}
|
||||
attrValue = append(attrValue, bytes...)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if strings.Contains(line, "|") {
|
||||
return nil, fmt.Errorf("entered confusing state in xattr file on line %#v, file=%#v", line, xattrDump)
|
||||
} else {
|
||||
nextLineIsAttrName = true
|
||||
m[attrName] = attrValue
|
||||
attrValue = make([]byte, 0)
|
||||
}
|
||||
}
|
||||
}
|
||||
type darwinCodeSignature struct {
|
||||
Cd string `json:"cd"`
|
||||
Cr string `json:"cr"`
|
||||
Cr1 string `json:"cr1"`
|
||||
Cs string `json:"cs"`
|
||||
}
|
||||
|
||||
func parseXattr(xattrDump string) (darwinCodeSignature, error) {
|
||||
var xattr darwinCodeSignature
|
||||
err := json.Unmarshal([]byte(xattrDump), &xattr)
|
||||
if err != nil {
|
||||
return xattr, fmt.Errorf("failed to parse xattr: %v", err)
|
||||
}
|
||||
return m, nil
|
||||
return xattr, nil
|
||||
}
|
||||
|
||||
func setXattr(filename, xattrDump string) {
|
||||
m, err := parseXattr(xattrDump)
|
||||
x, err := parseXattr(xattrDump)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to parse xattr file: %v", err))
|
||||
}
|
||||
for k, v := range m {
|
||||
err := syscall.Setxattr(filename, k, v, 0)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to set xattr %#v on file %#v: %v", k, filename, err))
|
||||
}
|
||||
err = unix.Setxattr(filename, "com.apple.cs.CodeDirectory", []byte(x.Cd), 0)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to set xattr com.apple.cs.CodeDirectory on file %#v: %v", filename, err))
|
||||
}
|
||||
err = unix.Setxattr(filename, "com.apple.cs.CodeRequirements", []byte(x.Cr), 0)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to set xattr com.apple.cs.CodeRequirements on file %#v: %v", filename, err))
|
||||
}
|
||||
err = unix.Setxattr(filename, "com.apple.cs.CodeRequirements-1", []byte(x.Cr1), 0)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to set xattr com.apple.cs.CodeRequirements-1 on file %#v: %v", filename, err))
|
||||
}
|
||||
err = unix.Setxattr(filename, "com.apple.cs.CodeSignature", []byte(x.Cs), 0)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to set xattr com.apple.cs.CodeSignature on file %#v: %v", filename, err))
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -190,57 +190,3 @@ func TestParseCrossPlatformInt(t *testing.T) {
|
||||
t.Fatalf("failed to parse cross platform int %d", res)
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseXattr(t *testing.T) {
|
||||
dump := `com.apple.macl:
|
||||
00000000 04 00 34 5A 0D 8F 9B 10 48 FB 9D 12 E2 11 C7 21 |................|
|
||||
00000010 D3 17 04 00 7D 17 C7 D7 51 B6 4B C4 B0 E5 1A 58 |................|
|
||||
00000020 21 53 DD 4C 00 00 00 00 00 00 00 00 00 00 00 00 |!S.L............|
|
||||
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
||||
00000040 00 00 00 00 00 00 00 00 |........<EFBFBD>......|
|
||||
00000048
|
||||
com.apple.metadata:kMDItemDownloadedDate:
|
||||
00000000 62 70 6C 69 73 74 30 30 A1 01 33 41 C4 07 D4 F5 |bplist00..3A....|
|
||||
00000010 D0 E7 A3 08 0A 00 00 00 00 00 00 01 01 00 00 00 |................|
|
||||
00000020 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................|
|
||||
00000030 00 00 00 00 13 |.....|
|
||||
00000035
|
||||
com.apple.metadata:kMDItemWhereFroms:
|
||||
00000000 62 70 6C 69 73 74 30 30 A2 01 02 5F 10 47 68 74 |bplist00..._.Ght|
|
||||
00000010 74 70 73 3A 2F 2F 64 6C 2E 67 6F 6F 67 6C 65 2E |tps://dl.google.|
|
||||
00000020 63 6F 6D 2F 63 68 72 6F 6D 65 2F 6D 61 63 2F 75 |com/chrome/mac/u|
|
||||
00000030 6E 69 76 65 72 73 61 6C 2F 73 74 61 62 6C 65 2F |niversal/stable/|
|
||||
00000040 47 47 52 4F 2F 67 6F 6F 67 6C 65 63 68 72 6F 6D |GGRO/googlechrom|
|
||||
00000050 65 2E 64 6D 67 5F 10 17 68 74 74 70 73 3A 2F 2F |e.dmg_..https://|
|
||||
00000060 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 08 |www.google.com/.|
|
||||
00000092
|
||||
com.apple.quarantine:
|
||||
00000000 30 31 38 33 3B 36 32 35 66 37 32 36 62 3B 53 61 |0183;625f726b;Sa|
|
||||
00000010 66 61 72 69 3B 46 37 33 37 42 42 43 33 2D 30 41 |fari;F737BBC3-0A|
|
||||
00000020 35 38 2D 34 31 44 34 2D 38 46 33 36 2D 30 33 42 |58-41D4-8F36-03B|
|
||||
00000030 42 33 31 36 36 39 35 39 39 |B31669599|
|
||||
00000039`
|
||||
xattr, err := parseXattr(dump)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if len(xattr) != 4 {
|
||||
t.Fatalf("xattr has an incorrect length: %d", len(xattr))
|
||||
}
|
||||
val := xattr["com.apple.quarantine"]
|
||||
if string(val) != "0183;625f726b;Safari;F737BBC3-0A58-41D4-8F36-03BB31669599" {
|
||||
t.Fatalf("unexpected xattr value=%#v", string(val))
|
||||
}
|
||||
val = xattr["com.apple.metadata:kMDItemWhereFroms"]
|
||||
if string(val) != "bplist00\xa2\x01\x02_\x10Ghttps://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg_\x10\x17https://www.google.com/\b" {
|
||||
t.Fatalf("unexpected xattr value=%#v", string(val))
|
||||
}
|
||||
val = xattr["com.apple.metadata:kMDItemDownloadedDate"]
|
||||
if string(val) != "bplist00\xa1\x013A\xc4\a\xd4\xf5\xd0\xe7\xa3\b\n\x00\x00\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13" {
|
||||
t.Fatalf("unexpected xattr value=%#v", string(val))
|
||||
}
|
||||
val = xattr["com.apple.macl"]
|
||||
if string(val) != "\x04\x004Z\r\x8f\x9b\x10H\xfb\x9d\x12\xe2\x11\xc7!\xd3\x17\x04\x00}\x17\xc7\xd7Q\xb6Kİ\xe5\x1aX!S\xddL\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" {
|
||||
t.Fatalf("unexpected xattr value=%#v", string(val))
|
||||
}
|
||||
}
|
||||
|
2
go.mod
2
go.mod
@ -206,7 +206,7 @@ require (
|
||||
golang.org/x/net v0.0.0-20220325170049-de3da57026de // indirect
|
||||
golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a // indirect
|
||||
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
|
||||
golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886 // indirect
|
||||
golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 // indirect
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
|
||||
golang.org/x/text v0.3.7 // indirect
|
||||
golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
|
||||
|
2
go.sum
2
go.sum
@ -2573,6 +2573,8 @@ golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||
golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886 h1:eJv7u3ksNXoLbGSKuv2s/SIO4tJVxc/A+MTpzxDgz/Q=
|
||||
golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=
|
||||
golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
|
Loading…
x
Reference in New Issue
Block a user