Add verification

laurentsimon · laurentsimon · commit d567fb3bb339 · 2022-08-10T22:57:02.000Z
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,8 +11,12 @@ on:
         required: false
         type: boolean
         default: true
+
+permissions: read-all
+
 env:
   GO_VERSION: 1.18.4
+
 jobs:
   build:
     outputs:
@@ -68,6 +72,8 @@ jobs:
   release:
     needs: [build, provenance]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Download binaries and license.
       - uses: actions/download-artifact@v3
@@ -77,11 +83,45 @@ jobs:
       - uses: actions/download-artifact@v3
         with:
           name: "${{ needs.provenance.outputs.attestation-name }}"
-      # Verify binaries if dry run
+      # Verify binaries.
       - name: Verify binaries
-        if: 'inputs.dry-run' 
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}"
         run: |
-          echo TODO: verify with slsa-verifier
+          set -euo pipefail
+
+          # Download the verifier. This will be replaced by the GHA.
+          gh -R slsa-framework/slsa-verifier release download v1.2.0 -p "slsa-verifier-linux-amd64"
+
+          # Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md
+          COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 | cut -d ' ' -f1)
+          EXPECTED_HASH="37db23392c7918bb4e243cdb097ed5f9d14b9b965dc1905b25bc2d1c0c91bf3d"
+          if [[ "$EXPECTED_HASH" != "$COMPUTED_HASH" ]];then
+              echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH"
+              exit 1
+          fi
+          chmod ug+x slsa-verifier-linux-amd64
+
+          # Verify all files, except LICENSE, .sha256 and checksums.txt files.
+          rm LICENSE *.sha256 checksums.txt
+          for f in *;
+          do
+              if [[ "$f" == "attestation.intoto.jsonl" ]] || [[ "$f" == "slsa-verifier-linux-amd64" ]]; then
+                continue
+              fi
+
+              echo "verifying $f"
+              ./slsa-verifier-linux-amd64 -artifact-path "$f" \
+                                      -provenance "$PROVENANCE" \
+                                      -source "github.com/$GITHUB_REPOSITORY" \
+                                      -branch v2
+
+          done
+
+          # The slsa verifier is not part of the project.
+          rm ./slsa-verifier-linux-amd64
+
       # Upload to release.
       - uses: ncipollo/release-action@v1
         if: '! inputs.dry-run'
