extern/hishtory
1
0
Fork 0
mirror of https://github.com/ddworken/hishtory.git synced 2025-03-27 16:17:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Pipe ctx into the slsa code to avoid context.TODO()

Browse Source
This commit is contained in:
David Dworken 2022-09-21 20:22:34 -07:00
parent d226fab7ec
commit cb16984f77
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
client/lib/lib.go
View File

@ -654,9 +654,9 @@ func Update(ctx *context.Context) error {
// Verify the SLSA attestation
if runtime.GOOS == "darwin" {
err = verifyBinaryMac("/tmp/hishtory-client", downloadData)
err = verifyBinaryMac(ctx, "/tmp/hishtory-client", downloadData)
} else {
err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
err = verifyBinary(ctx, "/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
}
if err != nil {
return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update (to bypass, set `export HISHTORY_DISABLE_SLSA_ATTESTATION=true`): %v", err)
@ -692,7 +692,7 @@ func Update(ctx *context.Context) error {
return nil
}
func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error {
func verifyBinaryMac(ctx *context.Context, binaryPath string, downloadData shared.UpdateInfo) error {
// On Mac, binary verification is a bit more complicated since mac binaries are code
// signed. To verify a signed binary, we:
// 1. Download the unsigned binary
@ -734,7 +734,7 @@ func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error {
}
// Step 4: Use SLSA to verify the unsigned binary
return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
return verifyBinary(ctx, unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
}
func assertIdenticalBinaries(bin1Path, bin2Path string) error {

6
client/lib/slsa.go
View File

@ -14,7 +14,7 @@ import (
"github.com/slsa-framework/slsa-verifier/verifiers"
)
func verify(provenance []byte, artifactHash, source, branch, versionTag string) error {
func verify(ctx *context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {
provenanceOpts := &options.ProvenanceOpts{
ExpectedSourceURI: source,
ExpectedBranch: &branch,
@ -41,7 +41,7 @@ func checkForDowngrade(currentVersionS, newVersionS string) error {
return nil
}
func verifyBinary(binaryPath, attestationPath, versionTag string) error {
func verifyBinary(ctx *context.Context, binaryPath, attestationPath, versionTag string) error {
if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" {
return nil
}
@ -60,7 +60,7 @@ func verifyBinary(binaryPath, attestationPath, versionTag string) error {
return err
}
return verify(attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)
return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)
}
func getFileHash(binaryPath string) (string, error) {