extern/hishtory
1
0
Fork 0
mirror of https://github.com/ddworken/hishtory.git synced 2025-03-30 18:48:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Pipe ctx into the slsa code to avoid context.TODO()

Browse Source
This commit is contained in:
David Dworken 2022-09-21 20:22:34 -07:00
parent d226fab7ec
commit cb16984f77
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
client/lib/lib.go
View File

@ -654,9 +654,9 @@ func Update(ctx *context.Context) error {
// Verify the SLSA attestation // Verify the SLSA attestation
if runtime.GOOS == "darwin" { if runtime.GOOS == "darwin" {
err = verifyBinaryMac("/tmp/hishtory-client", downloadData) err = verifyBinaryMac(ctx, "/tmp/hishtory-client", downloadData)
} else { } else {
err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version) err = verifyBinary(ctx, "/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
} }
if err != nil { if err != nil {
return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update (to bypass, set `export HISHTORY_DISABLE_SLSA_ATTESTATION=true`): %v", err) return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update (to bypass, set `export HISHTORY_DISABLE_SLSA_ATTESTATION=true`): %v", err)
@ -692,7 +692,7 @@ func Update(ctx *context.Context) error {
return nil return nil
} }
func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error { func verifyBinaryMac(ctx *context.Context, binaryPath string, downloadData shared.UpdateInfo) error {
// On Mac, binary verification is a bit more complicated since mac binaries are code // On Mac, binary verification is a bit more complicated since mac binaries are code
// signed. To verify a signed binary, we: // signed. To verify a signed binary, we:
// 1. Download the unsigned binary // 1. Download the unsigned binary
@ -734,7 +734,7 @@ func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error {
} }
// Step 4: Use SLSA to verify the unsigned binary // Step 4: Use SLSA to verify the unsigned binary
return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version) return verifyBinary(ctx, unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
} }
func assertIdenticalBinaries(bin1Path, bin2Path string) error { func assertIdenticalBinaries(bin1Path, bin2Path string) error {

6
client/lib/slsa.go
View File

@ -14,7 +14,7 @@ import (
"github.com/slsa-framework/slsa-verifier/verifiers" "github.com/slsa-framework/slsa-verifier/verifiers"
) )
func verify(provenance []byte, artifactHash, source, branch, versionTag string) error { func verify(ctx *context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {
provenanceOpts := &options.ProvenanceOpts{ provenanceOpts := &options.ProvenanceOpts{
ExpectedSourceURI: source, ExpectedSourceURI: source,
ExpectedBranch: &branch, ExpectedBranch: &branch,
@ -41,7 +41,7 @@ func checkForDowngrade(currentVersionS, newVersionS string) error {
return nil return nil
} }
func verifyBinary(binaryPath, attestationPath, versionTag string) error { func verifyBinary(ctx *context.Context, binaryPath, attestationPath, versionTag string) error {
if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" { if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" {
return nil return nil
} }
@ -60,7 +60,7 @@ func verifyBinary(binaryPath, attestationPath, versionTag string) error {
return err return err
} }
return verify(attestation, hash, "github.com/ddworken/hishtory", "master", versionTag) return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)
} }
func getFileHash(binaryPath string) (string, error) { func getFileHash(binaryPath string) (string, error) {