Fix source-mod check (#3439)

* Fix source-mod check

* Fix stderr

* make handling robust

.github/workflows/builder.yml

@@ -160,7 +160,7 @@ jobs:
         id: dirhash
         run: |
           pip3 install dirhash
-          dir_hash="$(dirhash "${{ github.workspace }}" -a sha256 --match "*.py")"
+          dir_hash="$(dirhash "${{ github.workspace }}/supervisor" -a sha256 --match "*.py")"
           echo "::set-output name=dirhash::${dir_hash}"
 
       - name: Set version
@@ -169,7 +169,7 @@ jobs:
         with:
           type: ${{ env.BUILD_TYPE }}
 
-      - name: Signing image
+      - name: Signing Source
         if: needs.init.outputs.publish == 'true'
         uses: home-assistant/actions/helpers/codenotary@master
         with:

supervisor/resolution/evaluations/source_mods.py

@@ -9,7 +9,7 @@ from ...utils.codenotary import calc_checksum_path_sourcecode
 from ..const import UnsupportedReason
 from .base import EvaluateBase
 
-_SUPERVISOR_SOURCE = Path("/usr/src/supervisor")
+_SUPERVISOR_SOURCE = Path("/usr/src/supervisor/supervisor")
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
 

supervisor/utils/codenotary.py

@@ -21,7 +21,6 @@ _CAS_CMD: str = (
 _CACHE: set[tuple[str, str]] = set()
 
 
-_ATTR_ERROR: Final = "error"
 _ATTR_STATUS: Final = "status"
 
 
@@ -55,12 +54,12 @@ async def cas_validate(
             *command,
             stdin=asyncio.subprocess.DEVNULL,
             stdout=asyncio.subprocess.PIPE,
-            stderr=asyncio.subprocess.DEVNULL,
+            stderr=asyncio.subprocess.PIPE,
             env=clean_env(),
         )
 
         async with async_timeout.timeout(10):
-            data, _ = await proc.communicate()
+            data, error = await proc.communicate()
     except OSError as err:
         raise CodeNotaryError(
             f"CodeNotary fatal error: {err!s}", _LOGGER.critical
@@ -70,6 +69,16 @@ async def cas_validate(
             "Timeout while processing CodeNotary", _LOGGER.error
         ) from None
 
+    # Check if Notarized
+    if proc.returncode != 0 and not data:
+        if error:
+            error = error.decode("utf-8")
+            if "not notarized" in error:
+                raise CodeNotaryUntrusted()
+        else:
+            error = "Unknown CodeNotary backend issue"
+        raise CodeNotaryBackendError(error, _LOGGER.warning)
+
     # Parse data
     try:
         data_json = json.loads(data)
@@ -79,9 +88,6 @@ async def cas_validate(
             f"Can't parse CodeNotary output: {data!s} - {err!s}", _LOGGER.error
         ) from err
 
-    if _ATTR_ERROR in data_json:
-        raise CodeNotaryBackendError(data_json[_ATTR_ERROR], _LOGGER.warning)
-
     if data_json[_ATTR_STATUS] == 0:
         _CACHE.add((checksum, signer))
     else:

tests/utils/test_codenotary.py

@@ -1,7 +1,9 @@
 """Test CodeNotary."""
 
+import pytest
 
-from supervisor.utils.codenotary import calc_checksum
+from supervisor.exceptions import CodeNotaryUntrusted
+from supervisor.utils.codenotary import calc_checksum, cas_validate
 
 
 def test_checksum_calc():
@@ -11,3 +13,20 @@ def test_checksum_calc():
         calc_checksum("test")
         == "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
     )
+
+
+async def test_valid_checksum():
+    """Test a valid autorization."""
+    await cas_validate(
+        "notary@home-assistant.io",
+        "4434a33ff9c695e870bc5bbe04230ea3361ecf4c129eb06133dd1373975a43f0",
+    )
+
+
+async def test_invalid_checksum():
+    """Test a invalid autorization."""
+    with pytest.raises(CodeNotaryUntrusted):
+        await cas_validate(
+            "notary@home-assistant.io",
+            "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        )