extern/hishtory
1
0
Fork 0
mirror of https://github.com/ddworken/hishtory.git synced 2024-11-23 00:34:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Verify the version tag in SLSA too

Browse Source
This commit is contained in:
David Dworken 2022-04-17 10:29:48 -07:00
parent f22bb5b4d9
commit cf55805578
2 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
client/lib/lib.go
View File

@ -446,7 +446,7 @@ func Update() error {
} }
// Verify the SLSA attestation // Verify the SLSA attestation
err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl") err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
if err != nil { if err != nil {
return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update: %v", err) return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update: %v", err)
} }

15
client/lib/slsa.go
View File

@ -17,7 +17,7 @@ var defaultRekorAddr = "https://rekor.sigstore.dev"
// Verify SLSA provenance of the downloaded binary // Verify SLSA provenance of the downloaded binary
// Copied from https://github.com/slsa-framework/slsa-verifier/blob/aee753f/main.go // Copied from https://github.com/slsa-framework/slsa-verifier/blob/aee753f/main.go
// Once the slsa-verifier supports being used as a library, this can be removed // Once the slsa-verifier supports being used as a library, this can be removed
func verify(provenance []byte, artifactHash, source, branch string) error { func verify(provenance []byte, artifactHash, source, branch, versionTag string) error {
rClient, err := rekor.NewClient(defaultRekorAddr) rClient, err := rekor.NewClient(defaultRekorAddr)
if err != nil { if err != nil {
return err return err
@ -61,13 +61,10 @@ func verify(provenance []byte, artifactHash, source, branch string) error {
return err return err
} }
// TODO
// Verify the tag. // Verify the tag.
// if tag != nil { if err := pkg.VerifyTag(env, versionTag); err != nil {
// if err := pkg.VerifyTag(env, *tag); err != nil { return err
// return err }
// }
// }
// TODO // TODO
// Verify the versioned tag. // Verify the versioned tag.
@ -80,7 +77,7 @@ func verify(provenance []byte, artifactHash, source, branch string) error {
return nil return nil
} }
func verifyBinary(binaryPath, attestationPath string) error { func verifyBinary(binaryPath, attestationPath, versionTag string) error {
// TODO: Also verify that the version is newer and this isn't a downgrade // TODO: Also verify that the version is newer and this isn't a downgrade
attestation, err := os.ReadFile(attestationPath) attestation, err := os.ReadFile(attestationPath)
if err != nil { if err != nil {
@ -99,5 +96,5 @@ func verifyBinary(binaryPath, attestationPath string) error {
} }
hash := hex.EncodeToString(hasher.Sum(nil)) hash := hex.EncodeToString(hasher.Sum(nil))
return verify(attestation, hash, "github.com/ddworken/hishtory", "master") return verify(attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)
} }