mirror of
https://github.com/ddworken/hishtory.git
synced 2024-12-01 20:53:13 +01:00
Patch vendored slsa verifier and fix updates
This commit is contained in:
parent
e638b9795b
commit
de15305fb5
@ -537,7 +537,7 @@ func Update() error {
|
|||||||
if runtime.GOOS == "darwin" {
|
if runtime.GOOS == "darwin" {
|
||||||
err = verifyBinaryMac("/tmp/hishtory-client", downloadData)
|
err = verifyBinaryMac("/tmp/hishtory-client", downloadData)
|
||||||
} else {
|
} else {
|
||||||
err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version+"-"+runtime.GOOS+"-"+runtime.GOARCH)
|
err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update: %v", err)
|
return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update: %v", err)
|
||||||
@ -618,7 +618,7 @@ func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Step 4: Use SLSA to verify the unsigned binary
|
// Step 4: Use SLSA to verify the unsigned binary
|
||||||
return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version+"-"+runtime.GOOS+"-"+runtime.GOARCH)
|
return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
|
||||||
}
|
}
|
||||||
|
|
||||||
func assertIdenticalBinaries(bin1Path, bin2Path string) error {
|
func assertIdenticalBinaries(bin1Path, bin2Path string) error {
|
||||||
|
@ -52,16 +52,14 @@ func verify(provenance []byte, artifactHash, source, branch, versionTag string)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Verify the workflow identity.
|
// Verify the workflow identity.
|
||||||
fmt.Printf("source=%#v, workflowInfo=%#v\n", source, workflowInfo)
|
|
||||||
if err := slsa_verifier.VerifyWorkflowIdentity(workflowInfo, source); err != nil {
|
if err := slsa_verifier.VerifyWorkflowIdentity(workflowInfo, source); err != nil {
|
||||||
return fmt.Errorf("failed to verify workflow identity: %v", err)
|
return fmt.Errorf("failed to verify workflow identity: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify the branch.
|
// Verify the branch.
|
||||||
// TODO: This started failing for some reason? base_ref was null
|
if err := slsa_verifier.VerifyBranch(env, branch); err != nil {
|
||||||
// if err := pkg.VerifyBranch(env, branch); err != nil {
|
return err
|
||||||
// return err
|
}
|
||||||
// }
|
|
||||||
|
|
||||||
// Verify the tag.
|
// Verify the tag.
|
||||||
if err := slsa_verifier.VerifyTag(env, versionTag); err != nil {
|
if err := slsa_verifier.VerifyTag(env, versionTag); err != nil {
|
||||||
|
@ -2,6 +2,8 @@ package slsa_verifier
|
|||||||
|
|
||||||
// Copied from https://raw.githubusercontent.com/slsa-framework/slsa-verifier/c80938e29877e4c71984f626dc102b79667f4fe6/pkg/provenance.go
|
// Copied from https://raw.githubusercontent.com/slsa-framework/slsa-verifier/c80938e29877e4c71984f626dc102b79667f4fe6/pkg/provenance.go
|
||||||
// Apache 2.0 licensed: https://github.com/slsa-framework/slsa-verifier/blob/c80938e29877e4c71984f626dc102b79667f4fe6/LICENSE
|
// Apache 2.0 licensed: https://github.com/slsa-framework/slsa-verifier/blob/c80938e29877e4c71984f626dc102b79667f4fe6/LICENSE
|
||||||
|
// This has the small tweak to make it possible to use the SLSA generator from non-head. To ensure this isn't a
|
||||||
|
// security vulnerability we hardcode the hash that we expect.
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
@ -432,18 +434,19 @@ func verifyTrustedBuilderRef(id *WorkflowIdentity, ref string) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if !strings.HasPrefix(ref, "refs/tags/") {
|
// if !strings.HasPrefix(ref, "refs/tags/") {
|
||||||
|
if ref != "b18a9ec9f79bb22067a9e91d3ddf170e7d9884f8" {
|
||||||
return fmt.Errorf("%w: %s: not of the form 'refs/tags/name'", errorInvalidRef, ref)
|
return fmt.Errorf("%w: %s: not of the form 'refs/tags/name'", errorInvalidRef, ref)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Valid semver of the form vX.Y.Z with no metadata.
|
// Valid semver of the form vX.Y.Z with no metadata.
|
||||||
pin := strings.TrimPrefix(ref, "refs/tags/")
|
// pin := strings.TrimPrefix(ref, "refs/tags/")
|
||||||
if !(semver.IsValid(pin) &&
|
// if !(semver.IsValid(pin) &&
|
||||||
len(strings.Split(pin, ".")) == 3 &&
|
// len(strings.Split(pin, ".")) == 3 &&
|
||||||
semver.Prerelease(pin) == "" &&
|
// semver.Prerelease(pin) == "" &&
|
||||||
semver.Build(pin) == "") {
|
// semver.Build(pin) == "") {
|
||||||
return fmt.Errorf("%w: %s: not of the form vX.Y.Z", errorInvalidRef, pin)
|
// return fmt.Errorf("%w: %s: not of the form vX.Y.Z", errorInvalidRef, pin)
|
||||||
}
|
// }
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -90,13 +90,11 @@ func retrieveAdditionalEntriesFromRemote(db *gorm.DB) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to load JSON response: %v", err)
|
return fmt.Errorf("failed to load JSON response: %v", err)
|
||||||
}
|
}
|
||||||
// fmt.Printf("this device id=%s, user id=%s\n", config.DeviceId, data.UserId(config.UserSecret))
|
|
||||||
for _, entry := range retrievedEntries {
|
for _, entry := range retrievedEntries {
|
||||||
decEntry, err := data.DecryptHistoryEntry(config.UserSecret, *entry)
|
decEntry, err := data.DecryptHistoryEntry(config.UserSecret, *entry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to decrypt history entry from server: %v", err)
|
return fmt.Errorf("failed to decrypt history entry from server: %v", err)
|
||||||
}
|
}
|
||||||
// fmt.Printf("received entry: %#v\n", decEntry)
|
|
||||||
lib.AddToDbIfNew(db, decEntry)
|
lib.AddToDbIfNew(db, decEntry)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
|
Loading…
Reference in New Issue
Block a user