Patch vendored slsa verifier and fix updates

client/lib/lib.go

@@ -537,7 +537,7 @@ func Update() error {
 	if runtime.GOOS == "darwin" {
 		err = verifyBinaryMac("/tmp/hishtory-client", downloadData)
 	} else {
-		err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version+"-"+runtime.GOOS+"-"+runtime.GOARCH)
+		err = verifyBinary("/tmp/hishtory-client", "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
 	}
 	if err != nil {
 		return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update: %v", err)
@@ -618,7 +618,7 @@ func verifyBinaryMac(binaryPath string, downloadData shared.UpdateInfo) error {
 	}
 
 	// Step 4: Use SLSA to verify the unsigned binary
-	return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version+"-"+runtime.GOOS+"-"+runtime.GOARCH)
+	return verifyBinary(unsignedBinaryPath, "/tmp/hishtory-client.intoto.jsonl", downloadData.Version)
 }
 
 func assertIdenticalBinaries(bin1Path, bin2Path string) error {

client/lib/slsa.go

@@ -52,16 +52,14 @@ func verify(provenance []byte, artifactHash, source, branch, versionTag string)
 	}
 
 	// Verify the workflow identity.
-	fmt.Printf("source=%#v, workflowInfo=%#v\n", source, workflowInfo)
 	if err := slsa_verifier.VerifyWorkflowIdentity(workflowInfo, source); err != nil {
 		return fmt.Errorf("failed to verify workflow identity: %v", err)
 	}
 
 	// Verify the branch.
-	// TODO: This started failing for some reason? base_ref was null
-	// if err := pkg.VerifyBranch(env, branch); err != nil {
-	// 	return err
-	// }
+	if err := slsa_verifier.VerifyBranch(env, branch); err != nil {
+		return err
+	}
 
 	// Verify the tag.
 	if err := slsa_verifier.VerifyTag(env, versionTag); err != nil {

client/vndor/slsa_verifier/provenance.go

@@ -2,6 +2,8 @@ package slsa_verifier
 
 // Copied from https://raw.githubusercontent.com/slsa-framework/slsa-verifier/c80938e29877e4c71984f626dc102b79667f4fe6/pkg/provenance.go
 // Apache 2.0 licensed: https://github.com/slsa-framework/slsa-verifier/blob/c80938e29877e4c71984f626dc102b79667f4fe6/LICENSE
+// This has the small tweak to make it possible to use the SLSA generator from non-head. To ensure this isn't a
+// security vulnerability we hardcode the hash that we expect.
 
 import (
 	"bytes"
@@ -432,18 +434,19 @@ func verifyTrustedBuilderRef(id *WorkflowIdentity, ref string) error {
 		return nil
 	}
 
-	if !strings.HasPrefix(ref, "refs/tags/") {
+	// if !strings.HasPrefix(ref, "refs/tags/") {
+	if ref != "b18a9ec9f79bb22067a9e91d3ddf170e7d9884f8" {
 		return fmt.Errorf("%w: %s: not of the form 'refs/tags/name'", errorInvalidRef, ref)
 	}
 
 	// Valid semver of the form vX.Y.Z with no metadata.
-	pin := strings.TrimPrefix(ref, "refs/tags/")
-	if !(semver.IsValid(pin) &&
-		len(strings.Split(pin, ".")) == 3 &&
-		semver.Prerelease(pin) == "" &&
-		semver.Build(pin) == "") {
-		return fmt.Errorf("%w: %s: not of the form vX.Y.Z", errorInvalidRef, pin)
-	}
+	// pin := strings.TrimPrefix(ref, "refs/tags/")
+	// if !(semver.IsValid(pin) &&
+	// 	len(strings.Split(pin, ".")) == 3 &&
+	// 	semver.Prerelease(pin) == "" &&
+	// 	semver.Build(pin) == "") {
+	// 	return fmt.Errorf("%w: %s: not of the form vX.Y.Z", errorInvalidRef, pin)
+	// }
 	return nil
 }
 

hishtory.go

@@ -90,13 +90,11 @@ func retrieveAdditionalEntriesFromRemote(db *gorm.DB) error {
 	if err != nil {
 		return fmt.Errorf("failed to load JSON response: %v", err)
 	}
-	// fmt.Printf("this device id=%s, user id=%s\n", config.DeviceId, data.UserId(config.UserSecret))
 	for _, entry := range retrievedEntries {
 		decEntry, err := data.DecryptHistoryEntry(config.UserSecret, *entry)
 		if err != nil {
 			return fmt.Errorf("failed to decrypt history entry from server: %v", err)
 		}
-		// fmt.Printf("received entry: %#v\n", decEntry)
 		lib.AddToDbIfNew(db, decEntry)
 	}
 	return nil