Skip to content

Commit ab0b065

Browse files
heitorlessaheitorlessa
authored
chore(security): improve debugging for provenance script (#2784)
chore: improve debugging for provenance script
1 parent c2a237a commit ab0b065

File tree

1 file changed

+44
-21
lines changed

1 file changed

+44
-21
lines changed

.github/actions/verify-provenance/verify_provenance.sh

Lines changed: 44 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -36,35 +36,58 @@ export readonly FILES=("${SLSA_VERIFIER_BINARY}" "${SLSA_VERIFIER_CHECKSUM_FILE}
3636

3737
function debug() {
3838
TIMESTAMP=$(date -u "+%FT%TZ") # 2023-05-10T07:53:59Z
39-
echo ""${TIMESTAMP}" DEBUG - $1"
39+
echo ""${TIMESTAMP}" DEBUG - [*] $1"
4040
}
4141

42-
function download_slsa_verifier() {
43-
debug "[*] Downloading SLSA Verifier for - Binary: slsa-verifier-${OS_NAME}-${ARCHITECTURE}"
44-
curl --location --silent -O "https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-${OS_NAME}-${ARCHITECTURE}"
45-
46-
debug "[*] Downloading SLSA Verifier checksums"
47-
curl --location --silent -O "https://raw.githubusercontent.com/slsa-framework/slsa-verifier/f59b55ef2190581d40fc1a5f3b7a51cab2f4a652/${SLSA_VERIFIER_CHECKSUM_FILE}"
42+
function error() {
43+
cleanup
44+
TIMESTAMP=$(date -u "+%FT%TZ") # 2023-05-10T07:53:59Z
45+
echo ""${TIMESTAMP}" ERROR - [!] $1"
46+
echo ""${TIMESTAMP}" ERROR - [!] exiting"
47+
exit 1
48+
}
4849

49-
debug "[*] Verifying SLSA Verifier binary integrity"
50+
function download_slsa_verifier() {
51+
readonly SLSA_URL="https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-${OS_NAME}-${ARCHITECTURE}"
52+
# debug "Downloading SLSA Verifier for - Binary: slsa-verifier-${OS_NAME}-${ARCHITECTURE}"
53+
debug "Downloading SLSA Verifier binary: ${SLSA_URL}"
54+
curl \
55+
--location \
56+
--fail \
57+
--silent \
58+
-O "${SLSA_URL}" || error "Failed to download SLSA Verifier binary"
59+
60+
readonly SLSA_CHECKSUM_URL="https://raw.githubusercontent.com/slsa-framework/slsa-verifier/f59b55ef2190581d40fc1a5f3b7a51cab2f4a652/${SLSA_VERIFIER_CHECKSUM_FILE}"
61+
debug "Downloading SLSA Verifier checksums"
62+
curl \
63+
--location \
64+
--fail \
65+
--silent \
66+
-O "${SLSA_CHECKSUM_URL}" || error "Failed to download SLSA Verifier binary checksum file"
67+
68+
debug "Verifying SLSA Verifier binary integrity"
5069
CURRENT_HASH=$(sha256sum "${SLSA_VERIFIER_BINARY}" | awk '{print $1}')
5170
if [[ $(grep "${CURRENT_HASH}" "${SLSA_VERIFIER_CHECKSUM_FILE}") ]]; then
52-
debug "[*] SLSA Verifier binary integrity confirmed"
71+
debug "SLSA Verifier binary integrity confirmed"
5372
chmod +x "${SLSA_VERIFIER_BINARY}"
5473
else
55-
debug "[!] Failed integrity check for SLSA Verifier binary: ${SLSA_VERIFIER_BINARY}"
56-
exit 1
74+
error "Failed integrity check for SLSA Verifier binary: ${SLSA_VERIFIER_BINARY}"
5775
fi
5876
}
5977

6078
function download_provenance() {
61-
debug "[*] Downloading attestation for - Release: https://github.com/${ORG}/${REPO}/releases/v${RELEASE_VERSION}"
62-
63-
curl --location --silent -O "https://github.com/${ORG}/${REPO}/releases/download/v${RELEASE_VERSION}/${PROVENANCE_FILE}"
79+
readonly PROVENANCE_URL="https://github.com/${ORG}/${REPO}/releases/download/v${RELEASE_VERSION}/${PROVENANCE_FILE}"
80+
debug "Downloading attestation: ${PROVENANCE_URL}"
81+
82+
curl \
83+
--location \
84+
--fail \
85+
--silent \
86+
-O ${PROVENANCE_URL} || error "Failed to download provenance. Does the release already exist?"
6487
}
6588

6689
function download_release_artifact() {
67-
debug "[*] Downloading ${RELEASE_VERSION} release from PyPi"
90+
debug "Downloading ${RELEASE_VERSION} release from PyPi"
6891
python -m pip download \
6992
--only-binary=:all: \
7093
--no-deps \
@@ -73,19 +96,19 @@ function download_release_artifact() {
7396
}
7497

7598
function verify_provenance() {
76-
debug "[*] Verifying attestation with slsa-verifier"
99+
debug "Verifying attestation with slsa-verifier"
77100
"${SLSA_VERIFIER_BINARY}" verify-artifact \
78101
--provenance-path "${PROVENANCE_FILE}" \
79102
--source-uri github.com/${ORG}/${REPO} \
80103
${RELEASE_BINARY}
81104
}
82105

83106
function cleanup() {
84-
debug "[*] Cleaning up previously downloaded files"
85-
rm "${SLSA_VERIFIER_BINARY}"
86-
rm "${SLSA_VERIFIER_CHECKSUM_FILE}"
87-
rm "${PROVENANCE_FILE}"
88-
rm "${RELEASE_BINARY}"
107+
debug "Cleaning up previously downloaded files"
108+
rm -f "${SLSA_VERIFIER_BINARY}"
109+
rm -f "${SLSA_VERIFIER_CHECKSUM_FILE}"
110+
rm -f "${PROVENANCE_FILE}"
111+
rm -f "${RELEASE_BINARY}"
89112
echo "${FILES[@]}" | xargs -n1 echo "Removed file: "
90113
}
91114

0 commit comments

Comments
 (0)