From cb16984f77495c6ef05236e61a7619f18323891d Mon Sep 17 00:00:00 2001 From: David Dworken Date: Wed, 21 Sep 2022 20:22:34 -0700 Subject: [PATCH] Pipe ctx into the slsa code to avoid context.TODO() --- client/lib/lib.go | 8 ++++---- client/lib/slsa.go | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/client/lib/lib.go b/client/lib/lib.go index 1cbf6d7..d2589a7 100644 --- a/client/lib/lib.go +++ b/client/lib/lib.go @@ -654,9 +654,9 @@ func Update(ctx *context.Context) error { // Verify the SLSA attestation if runtime.GOOS == "darwin" { - err = verifyBinaryMac("/tmp/hishtory-client", downloadData) + err = verifyBinaryMac(ctx, "/tmp/hishtory-client", downloadData) } else { - err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version) + err = verifyBinary(ctx, "/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version) } if err != nil { return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update (to bypass, set `export HISHTORY_DISABLE_SLSA_ATTESTATION=true`): %v", err) @@ -692,7 +692,7 @@ func Update(ctx *context.Context) error { return nil } -func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error { +func verifyBinaryMac(ctx *context.Context, binaryPath string, downloadData shared.UpdateInfo) error { // On Mac, binary verification is a bit more complicated since mac binaries are code // signed. To verify a signed binary, we: // 1. Download the unsigned binary @@ -734,7 +734,7 @@ func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error { } // Step 4: Use SLSA to verify the unsigned binary - return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version) + return verifyBinary(ctx, unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version) } func assertIdenticalBinaries(bin1Path, bin2Path string) error { diff --git a/client/lib/slsa.go b/client/lib/slsa.go index bd61c71..c90cbdf 100644 --- a/client/lib/slsa.go +++ b/client/lib/slsa.go @@ -14,7 +14,7 @@ import ( "github.com/slsa-framework/slsa-verifier/verifiers" ) -func verify(provenance []byte, artifactHash, source, branch, versionTag string) error { +func verify(ctx *context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error { provenanceOpts := &options.ProvenanceOpts{ ExpectedSourceURI: source, ExpectedBranch: &branch, @@ -41,7 +41,7 @@ func checkForDowngrade(currentVersionS, newVersionS string) error { return nil } -func verifyBinary(binaryPath, attestationPath, versionTag string) error { +func verifyBinary(ctx *context.Context, binaryPath, attestationPath, versionTag string) error { if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" { return nil } @@ -60,7 +60,7 @@ func verifyBinary(binaryPath, attestationPath, versionTag string) error { return err } - return verify(attestation, hash, "github.com/ddworken/hishtory", "master", versionTag) + return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag) } func getFileHash(binaryPath string) (string, error) {