diff --git a/client/lib/lib.go b/client/lib/lib.go index bf40f1b..4c28eb1 100644 --- a/client/lib/lib.go +++ b/client/lib/lib.go @@ -537,7 +537,7 @@ func Update() error { if runtime.GOOS == "darwin" { err = verifyBinaryMac("/tmp/hishtory-client", downloadData) } else { - err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version+"-"+runtime.GOOS+"-"+runtime.GOARCH) + err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version) } if err != nil { return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update: %v", err) @@ -618,7 +618,7 @@ func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error { } // Step 4: Use SLSA to verify the unsigned binary - return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version+"-"+runtime.GOOS+"-"+runtime.GOARCH) + return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version) } func assertIdenticalBinaries(bin1Path, bin2Path string) error { diff --git a/client/lib/slsa.go b/client/lib/slsa.go index 2eb132b..bf0cb9a 100644 --- a/client/lib/slsa.go +++ b/client/lib/slsa.go @@ -52,16 +52,14 @@ func verify(provenance []byte, artifactHash, source, branch, versionTag string) } // Verify the workflow identity. - fmt.Printf("source=%#v, workflowInfo=%#v\n", source, workflowInfo) if err := slsa_verifier.VerifyWorkflowIdentity(workflowInfo, source); err != nil { return fmt.Errorf("failed to verify workflow identity: %v", err) } // Verify the branch. - // TODO: This started failing for some reason? base_ref was null - // if err := pkg.VerifyBranch(env, branch); err != nil { - // return err - // } + if err := slsa_verifier.VerifyBranch(env, branch); err != nil { + return err + } // Verify the tag. if err := slsa_verifier.VerifyTag(env, versionTag); err != nil { diff --git a/client/vndor/slsa_verifier/provenance.go b/client/vndor/slsa_verifier/provenance.go index 3cd3e57..d5363b6 100644 --- a/client/vndor/slsa_verifier/provenance.go +++ b/client/vndor/slsa_verifier/provenance.go @@ -2,6 +2,8 @@ package slsa_verifier // Copied from https://raw.githubusercontent.com/slsa-framework/slsa-verifier/c80938e29877e4c71984f626dc102b79667f4fe6/pkg/provenance.go // Apache 2.0 licensed: https://github.com/slsa-framework/slsa-verifier/blob/c80938e29877e4c71984f626dc102b79667f4fe6/LICENSE +// This has the small tweak to make it possible to use the SLSA generator from non-head. To ensure this isn't a +// security vulnerability we hardcode the hash that we expect. import ( "bytes" @@ -432,18 +434,19 @@ func verifyTrustedBuilderRef(id *WorkflowIdentity, ref string) error { return nil } - if !strings.HasPrefix(ref, "refs/tags/") { + // if !strings.HasPrefix(ref, "refs/tags/") { + if ref != "b18a9ec9f79bb22067a9e91d3ddf170e7d9884f8" { return fmt.Errorf("%w: %s: not of the form 'refs/tags/name'", errorInvalidRef, ref) } // Valid semver of the form vX.Y.Z with no metadata. - pin := strings.TrimPrefix(ref, "refs/tags/") - if !(semver.IsValid(pin) && - len(strings.Split(pin, ".")) == 3 && - semver.Prerelease(pin) == "" && - semver.Build(pin) == "") { - return fmt.Errorf("%w: %s: not of the form vX.Y.Z", errorInvalidRef, pin) - } + // pin := strings.TrimPrefix(ref, "refs/tags/") + // if !(semver.IsValid(pin) && + // len(strings.Split(pin, ".")) == 3 && + // semver.Prerelease(pin) == "" && + // semver.Build(pin) == "") { + // return fmt.Errorf("%w: %s: not of the form vX.Y.Z", errorInvalidRef, pin) + // } return nil } diff --git a/hishtory.go b/hishtory.go index 3cfc7f2..17a4140 100644 --- a/hishtory.go +++ b/hishtory.go @@ -90,13 +90,11 @@ func retrieveAdditionalEntriesFromRemote(db *gorm.DB) error { if err != nil { return fmt.Errorf("failed to load JSON response: %v", err) } - // fmt.Printf("this device id=%s, user id=%s\n", config.DeviceId, data.UserId(config.UserSecret)) for _, entry := range retrievedEntries { decEntry, err := data.DecryptHistoryEntry(config.UserSecret, *entry) if err != nil { return fmt.Errorf("failed to decrypt history entry from server: %v", err) } - // fmt.Printf("received entry: %#v\n", decEntry) lib.AddToDbIfNew(db, decEntry) } return nil