Add signing to utils script

- Add sign file function - Add sign relpath function - Add signing to nix build - Add signing to provenance TODO: - Get rid of hardcoded certificate name Signed-off-by: Aleksandr Tserepov-Savolainen <[email protected]>
tiiuae · Sep 2, 2024 · ef9f404 · ef9f404
1 parent 112836a
commit ef9f404
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/utils.groovy b/utils.groovy
@@ -63,6 +63,8 @@ def nix_build(String flakeref, String subdir=null) {
     epoch_seconds = (int) (new Date().getTime() / 1000l)
     env."BEG_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds
     sh "nix build ${flakeref} ${opts}"
+    // Sign the build result
+    sign_relpath(flakeref, subdir)
     // Store the build end time to job's environment
     epoch_seconds = (int) (new Date().getTime() / 1000l)
     env."END_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds
@@ -106,6 +108,12 @@ def provenance(String flakeref, String outdir, String flakeref_trimmed) {
     """
     opts = "--recursive --out ${outdir}/provenance.json"
     sh "provenance ${flakeref} ${opts}"
+    // Sign the provenance
+    path="${outdir}/provenance.json"
+    cert="INT-lenovo-x1-carbon-gen11-debug-x86-64-linux"
+    sigfile="${path}.sig"
+    sign_file(path, cert, sigfile)
+
 }
 
 def sbomnix(String tool, String flakeref) {
@@ -146,6 +154,33 @@ def find_img_relpath(String flakeref, String subdir) {
   return img_relpath
 }
 
+def sign_file(String path, String cert, String sigfile) {
+  println "sign_file: ${path} ### ${cert} ### ${sigfile}"
+  res = sh(
+    script: """
+      nix run github:tiiuae/ci-yubi#sign -- --path=${path} --cert=${cert} --sigfile=${sigfile}
+    """, returnStdout: true).trim()
+    return res
+}
+
+def verify_signature(String path, String cert, String sigfile) {
+  println "verify_signature: ${path} ### ${cert} ### ${sigfile}"
+  res = sh(
+    script: """
+      nix run github:tiiuae/ci-yubi#verify -- --path=${path} --cert=${cert} --sigfile=${sigfile}
+    """, returnStdout: true).trim()
+  return res
+}
+
+def sign_relpath(String flakeref, String subdir) {
+  relpath = "$subdir/${find_img_relpath(flakeref, subdir)}"
+  signame = "${subdir}/${flakeref_trim(flakeref)}.sig"
+  println "sign_relpath: signame: ${signame}"
+  res = sign_file(relpath, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", signame)
+  tst = verify_signature(relpath, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", signame)
+  return res
+}
+
 def ghaf_hw_test(String flakeref, String device_config, String jenkins_url, String testset='_boot_') {
   testagent_nodes = nodesByLabel(label: 'testagent', offline: false)
   if (!testagent_nodes) {