Update slsa validation to not validate version when running in github actions, since the one in actions isn't associated with a released version

2025-06-20 20:07:52 +02:00 · 2023-11-05 01:15:54 -07:00 · 2023-11-05 01:15:54 -07:00 · c918bcd3cb
commit c918bcd3cb
parent c3c74970b0
3 changed files with 12 additions and 15 deletions
--- a/.github/workflows/slsa-releaser.yml
+++ b/.github/workflows/slsa-releaser.yml
@ -214,7 +214,7 @@ jobs:
        run: |
          go build; ./hishtory install
          # curl https://hishtory.dev/install.py | python3 -
-          ./hishtory validate-binary v0.`cat VERSION` hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
+          ./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
          # hishtory validate-binary v0.`cat VERSION` hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
          # TODO: Validate other binaries here
--- a/client/cmd/update.go
+++ b/client/cmd/update.go
@ -19,7 +19,6 @@ import (
 	"github.com/ddworken/hishtory/client/lib"
 	"github.com/ddworken/hishtory/shared"
 	"github.com/spf13/cobra"
 	"golang.org/x/mod/semver"
 )
 var updateCmd = &cobra.Command{
@ -34,23 +33,19 @@ var validateBinaryCmd = &cobra.Command{
 	Use:    "validate-binary",
 	Hidden: true,
 	Short:  "[Test Only] Validate the given binary for SLSA compliance",
-	Args:   cobra.ExactArgs(3),
+	Args:   cobra.ExactArgs(2),
 	Run: func(cmd *cobra.Command, args []string) {
 		ctx := hctx.MakeContext()
-		version := strings.TrimSpace(args[0])
+		binaryPath := args[0]
-		if !semver.IsValid(version) {
+		attestationPath := args[1]
 			lib.CheckFatalError(fmt.Errorf("specified version %#v is not a valid version", version))
 		}
 		binaryPath := args[1]
 		attestationPath := args[2]
 		isMacOs, err := cmd.Flags().GetBool("is_macos")
 		lib.CheckFatalError(err)
 		if isMacOs {
 			macOsUnsignedBinaryPath, err := cmd.Flags().GetString("macos_unsigned_binary")
 			lib.CheckFatalError(err)
-			lib.CheckFatalError(verifyBinaryAgainstUnsignedBinaryForMac(ctx, binaryPath, macOsUnsignedBinaryPath, attestationPath, version))
+			lib.CheckFatalError(verifyBinaryAgainstUnsignedBinaryForMac(ctx, binaryPath, macOsUnsignedBinaryPath, attestationPath, ""))
 		} else {
-			lib.CheckFatalError(lib.VerifyBinary(ctx, binaryPath, attestationPath, version))
+			lib.CheckFatalError(lib.VerifyBinary(ctx, binaryPath, attestationPath, ""))
 		}
 	},
 }
--- a/client/lib/slsa.go
+++ b/client/lib/slsa.go
@ -17,10 +17,12 @@ import (
 func verify(ctx context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {
 	provenanceOpts := &options.ProvenanceOpts{
-		ExpectedSourceURI:    source,
+		ExpectedSourceURI: source,
-		ExpectedBranch:       &branch,
+		ExpectedBranch:    &branch,
-		ExpectedDigest:       artifactHash,
+		ExpectedDigest:    artifactHash,
-		ExpectedVersionedTag: &versionTag,
+	}
 	if versionTag != "" {
 		provenanceOpts.ExpectedVersionedTag = &versionTag
 	}
 	builderOpts := &options.BuilderOpts{}
 	_, _, err := verifiers.Verify(ctx, provenance, artifactHash, provenanceOpts, builderOpts)