extern/hishtory
1
0
Fork 0
mirror of https://github.com/ddworken/hishtory.git synced 2025-06-20 20:07:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update slsa validation to not validate version when running in github actions, since the one in actions isn't associated with a released version

Browse Source
This commit is contained in:
David Dworken 2023-11-05 01:15:54 -07:00
parent c3c74970b0
commit c918bcd3cb
No known key found for this signature in database
3 changed files with 12 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/slsa-releaser.yml vendored
View File

@ -214,7 +214,7 @@ jobs:
run: | run: |
go build; ./hishtory install go build; ./hishtory install
# curl https://hishtory.dev/install.py | python3 - # curl https://hishtory.dev/install.py | python3 -
./hishtory validate-binary v0.`cat VERSION` hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl ./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
# hishtory validate-binary v0.`cat VERSION` hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl # hishtory validate-binary v0.`cat VERSION` hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
# TODO: Validate other binaries here # TODO: Validate other binaries here

15
client/cmd/update.go
View File

@ -19,7 +19,6 @@ import (
"github.com/ddworken/hishtory/client/lib" "github.com/ddworken/hishtory/client/lib"
"github.com/ddworken/hishtory/shared" "github.com/ddworken/hishtory/shared"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"golang.org/x/mod/semver"
) )
var updateCmd = &cobra.Command{ var updateCmd = &cobra.Command{
@ -34,23 +33,19 @@ var validateBinaryCmd = &cobra.Command{
Use: "validate-binary", Use: "validate-binary",
Hidden: true, Hidden: true,
Short: "[Test Only] Validate the given binary for SLSA compliance", Short: "[Test Only] Validate the given binary for SLSA compliance",
Args: cobra.ExactArgs(3), Args: cobra.ExactArgs(2),
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
ctx := hctx.MakeContext() ctx := hctx.MakeContext()
version := strings.TrimSpace(args[0]) binaryPath := args[0]
if !semver.IsValid(version) { attestationPath := args[1]
lib.CheckFatalError(fmt.Errorf("specified version %#v is not a valid version", version))
}
binaryPath := args[1]
attestationPath := args[2]
isMacOs, err := cmd.Flags().GetBool("is_macos") isMacOs, err := cmd.Flags().GetBool("is_macos")
lib.CheckFatalError(err) lib.CheckFatalError(err)
if isMacOs { if isMacOs {
macOsUnsignedBinaryPath, err := cmd.Flags().GetString("macos_unsigned_binary") macOsUnsignedBinaryPath, err := cmd.Flags().GetString("macos_unsigned_binary")
lib.CheckFatalError(err) lib.CheckFatalError(err)
lib.CheckFatalError(verifyBinaryAgainstUnsignedBinaryForMac(ctx, binaryPath, macOsUnsignedBinaryPath, attestationPath, version)) lib.CheckFatalError(verifyBinaryAgainstUnsignedBinaryForMac(ctx, binaryPath, macOsUnsignedBinaryPath, attestationPath, ""))
} else { } else {
lib.CheckFatalError(lib.VerifyBinary(ctx, binaryPath, attestationPath, version)) lib.CheckFatalError(lib.VerifyBinary(ctx, binaryPath, attestationPath, ""))
} }
}, },
} }

4
client/lib/slsa.go
View File

@ -20,7 +20,9 @@ func verify(ctx context.Context, provenance []byte, artifactHash, source, branch
ExpectedSourceURI: source, ExpectedSourceURI: source,
ExpectedBranch: &branch, ExpectedBranch: &branch,
ExpectedDigest: artifactHash, ExpectedDigest: artifactHash,
ExpectedVersionedTag: &versionTag, }
if versionTag != "" {
provenanceOpts.ExpectedVersionedTag = &versionTag
} }
builderOpts := &options.BuilderOpts{} builderOpts := &options.BuilderOpts{}
_, _, err := verifiers.Verify(ctx, provenance, artifactHash, provenanceOpts, builderOpts) _, _, err := verifiers.Verify(ctx, provenance, artifactHash, provenanceOpts, builderOpts)