Add check for incorrect 'requirements' key in CodeSignatureVerifier

homebysix · homebysix · commit e7f32051c16c · 2021-01-18T16:23:11.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,11 @@
 All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/).
 
 
+## [1.8.2] - 2021-01-18
+
+### Added
+- Added check for unexpected processor arguments in CodeSignatureVerifier.
+
 ## [1.8.1] - 2020-12-08
 
 ### Removed
@@ -201,7 +206,8 @@ All notable changes to this project will be documented in this file. This projec
 - Initial release
 
 
-[Unreleased]: https://github.com/homebysix/pre-commit-macadmin/compare/v1.8.1...HEAD
+[Unreleased]: https://github.com/homebysix/pre-commit-macadmin/compare/v1.8.2...HEAD
+[1.8.2]: https://github.com/homebysix/pre-commit-macadmin/compare/v1.8.1...v1.8.2
 [1.8.1]: https://github.com/homebysix/pre-commit-macadmin/compare/v1.8.0...v1.8.1
 [1.8.0]: https://github.com/homebysix/pre-commit-macadmin/compare/v1.7.0...v1.8.0
 [1.7.0]: https://github.com/homebysix/pre-commit-macadmin/compare/v1.6.2...v1.7.0
diff --git a/pre_commit_hooks/check_autopkg_recipes.py b/pre_commit_hooks/check_autopkg_recipes.py
@@ -148,6 +148,26 @@ def validate_endofcheckphase(process, filename):
     return passed
 
 
+def validate_codesignatureverifier(process, filename):
+    """Ensure CodeSignatureVerifier uses correct arguments."""
+
+    passed = True
+    csv_args = [
+        x.get("Arguments")
+        for x in process
+        if x.get("Processor") == "CodeSignatureVerifier"
+    ]
+    if csv_args:
+        if "requirements" in csv_args[0]:
+            print(
+                '{}: Found unexpected key "{}" in '
+                "CodeSignatureVerifier arguments.".format(filename, "requirements")
+            )
+            passed = False
+
+    return passed
+
+
 def validate_minimumversion(process, min_vers, ignore_min_vers_before, filename):
     """Ensure MinimumVersion is set appropriately for the processors used."""
 
@@ -462,6 +482,9 @@ def main(argv=None):
             if not validate_endofcheckphase(process, filename):
                 retval = 1
 
+            if not validate_codesignatureverifier(process, filename):
+                retval = 1
+
             if not validate_no_var_in_app_path(process, filename):
                 retval = 1
 
