Improve signing utils

This commit makes the following changes: - `nix_build` only generates signatures for images. It can still be called for targets that don't produce images, in which case the call to `sign_file` is skipped. - Remove `sign_relpath`, instead, directly call the `sign_file` from the `nix_build` for image outputs. - Remove unused return value from the `sign_file` function. - Remove `verify_signature` function which is now unused. - Use the ci-yubi/sign tool version already available in jenkins PATH. Signed-off-by: Henri Rosten <[email protected]>
tiiuae · Sep 3, 2024 · f5c4d99 · f5c4d99
1 parent ef9f404
commit f5c4d99
Showing 1 changed file with 21 additions and 31 deletions.
diff --git a/utils.groovy b/utils.groovy
@@ -63,8 +63,17 @@ def nix_build(String flakeref, String subdir=null) {
     epoch_seconds = (int) (new Date().getTime() / 1000l)
     env."BEG_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds
     sh "nix build ${flakeref} ${opts}"
-    // Sign the build result
-    sign_relpath(flakeref, subdir)
+    // If the build result is an image, produce a signature file
+    img_relpath = subdir ? find_img_relpath(flakeref, subdir, abort_on_error='false') : ""
+    if (img_relpath) {
+      target_path = "${subdir}/${img_relpath}"
+      sig_path = "sig/${img_relpath}.sig"
+      sign_file(target_path, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", sig_path)
+      // Archive signature file alongside the target image
+      archive_artifacts("sig")
+    } else {
+      println "Build result is not an image, skipping image signing"
+    }
     // Store the build end time to job's environment
     epoch_seconds = (int) (new Date().getTime() / 1000l)
     env."END_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds
@@ -109,11 +118,9 @@ def provenance(String flakeref, String outdir, String flakeref_trimmed) {
     opts = "--recursive --out ${outdir}/provenance.json"
     sh "provenance ${flakeref} ${opts}"
     // Sign the provenance
-    path="${outdir}/provenance.json"
     cert="INT-lenovo-x1-carbon-gen11-debug-x86-64-linux"
-    sigfile="${path}.sig"
-    sign_file(path, cert, sigfile)
-
+    target_path = "${outdir}/provenance.json"
+    sign_file(target_path, cert, "${target_path}.sig")
 }
 
 def sbomnix(String tool, String flakeref) {
@@ -137,17 +144,17 @@ def sbomnix(String tool, String flakeref) {
   archive_artifacts("scs")
 }
 
-def find_img_relpath(String flakeref, String subdir) {
+def find_img_relpath(String flakeref, String subdir, String abort_on_error="true") {
   flakeref_trimmed = "${flakeref_trim(flakeref)}"
   img_relpath = sh(
     script: """
       cd ${subdir} && \
       find -L ${flakeref_trimmed} -regex '.*\\.\\(img\\|raw\\|zst\\|iso\\)\$' -print -quit
     """, returnStdout: true).trim()
   if (!img_relpath) {
-    // Error out stopping the pipeline execution if image was not found
-    println "Error: no image found from '${subdir}/${flakeref_trimmed}'"
-    sh "exit 1"
+    println "Warning: no image found from '${subdir}/${flakeref_trimmed}'"
+    // Error out stopping the pipeline execution if abort_on_error was set
+    sh "if [ '${abort_on_error}' = 'true' ]; then exit 1; fi"
   } else {
     println "Found flakeref '${flakeref}' image '${img_relpath}'"
   }
@@ -156,29 +163,12 @@ def find_img_relpath(String flakeref, String subdir) {
 
 def sign_file(String path, String cert, String sigfile) {
   println "sign_file: ${path} ### ${cert} ### ${sigfile}"
-  res = sh(
+  sh(
+    // 'sign' command from: https://github.com/tiiuae/ci-yubi
     script: """
-      nix run github:tiiuae/ci-yubi#sign -- --path=${path} --cert=${cert} --sigfile=${sigfile}
+      mkdir -p \$(dirname '${sigfile}') || true
+      sign --path=${path} --cert=${cert} --sigfile=${sigfile}
     """, returnStdout: true).trim()
-    return res
-}
-
-def verify_signature(String path, String cert, String sigfile) {
-  println "verify_signature: ${path} ### ${cert} ### ${sigfile}"
-  res = sh(
-    script: """
-      nix run github:tiiuae/ci-yubi#verify -- --path=${path} --cert=${cert} --sigfile=${sigfile}
-    """, returnStdout: true).trim()
-  return res
-}
-
-def sign_relpath(String flakeref, String subdir) {
-  relpath = "$subdir/${find_img_relpath(flakeref, subdir)}"
-  signame = "${subdir}/${flakeref_trim(flakeref)}.sig"
-  println "sign_relpath: signame: ${signame}"
-  res = sign_file(relpath, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", signame)
-  tst = verify_signature(relpath, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", signame)
-  return res
 }
 
 def ghaf_hw_test(String flakeref, String device_config, String jenkins_url, String testset='_boot_') {