diff --git a/utils.groovy b/utils.groovy index 1d17d2b..f355816 100644 --- a/utils.groovy +++ b/utils.groovy @@ -63,8 +63,17 @@ def nix_build(String flakeref, String subdir=null) { epoch_seconds = (int) (new Date().getTime() / 1000l) env."BEG_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds sh "nix build ${flakeref} ${opts}" - // Sign the build result - sign_relpath(flakeref, subdir) + // If the build result is an image, produce a signature file + img_relpath = subdir ? find_img_relpath(flakeref, subdir, abort_on_error='false') : "" + if (img_relpath) { + target_path = "${subdir}/${img_relpath}" + sig_path = "sig/${img_relpath}.sig" + sign_file(target_path, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", sig_path) + // Archive signature file alongside the target image + archive_artifacts("sig") + } else { + println "Build result is not an image, skipping image signing" + } // Store the build end time to job's environment epoch_seconds = (int) (new Date().getTime() / 1000l) env."END_${flakeref_trimmed}_${env.BUILD_TAG}" = epoch_seconds @@ -109,11 +118,9 @@ def provenance(String flakeref, String outdir, String flakeref_trimmed) { opts = "--recursive --out ${outdir}/provenance.json" sh "provenance ${flakeref} ${opts}" // Sign the provenance - path="${outdir}/provenance.json" cert="INT-lenovo-x1-carbon-gen11-debug-x86-64-linux" - sigfile="${path}.sig" - sign_file(path, cert, sigfile) - + target_path = "${outdir}/provenance.json" + sign_file(target_path, cert, "${target_path}.sig") } def sbomnix(String tool, String flakeref) { @@ -137,7 +144,7 @@ def sbomnix(String tool, String flakeref) { archive_artifacts("scs") } -def find_img_relpath(String flakeref, String subdir) { +def find_img_relpath(String flakeref, String subdir, String abort_on_error="true") { flakeref_trimmed = "${flakeref_trim(flakeref)}" img_relpath = sh( script: """ @@ -145,9 +152,9 @@ def find_img_relpath(String flakeref, String subdir) { find -L ${flakeref_trimmed} -regex '.*\\.\\(img\\|raw\\|zst\\|iso\\)\$' -print -quit """, returnStdout: true).trim() if (!img_relpath) { - // Error out stopping the pipeline execution if image was not found - println "Error: no image found from '${subdir}/${flakeref_trimmed}'" - sh "exit 1" + println "Warning: no image found from '${subdir}/${flakeref_trimmed}'" + // Error out stopping the pipeline execution if abort_on_error was set + sh "if [ '${abort_on_error}' = 'true' ]; then exit 1; fi" } else { println "Found flakeref '${flakeref}' image '${img_relpath}'" } @@ -156,29 +163,12 @@ def find_img_relpath(String flakeref, String subdir) { def sign_file(String path, String cert, String sigfile) { println "sign_file: ${path} ### ${cert} ### ${sigfile}" - res = sh( + sh( + // 'sign' command from: https://github.com/tiiuae/ci-yubi script: """ - nix run github:tiiuae/ci-yubi#sign -- --path=${path} --cert=${cert} --sigfile=${sigfile} + mkdir -p \$(dirname '${sigfile}') || true + sign --path=${path} --cert=${cert} --sigfile=${sigfile} """, returnStdout: true).trim() - return res -} - -def verify_signature(String path, String cert, String sigfile) { - println "verify_signature: ${path} ### ${cert} ### ${sigfile}" - res = sh( - script: """ - nix run github:tiiuae/ci-yubi#verify -- --path=${path} --cert=${cert} --sigfile=${sigfile} - """, returnStdout: true).trim() - return res -} - -def sign_relpath(String flakeref, String subdir) { - relpath = "$subdir/${find_img_relpath(flakeref, subdir)}" - signame = "${subdir}/${flakeref_trim(flakeref)}.sig" - println "sign_relpath: signame: ${signame}" - res = sign_file(relpath, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", signame) - tst = verify_signature(relpath, "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux", signame) - return res } def ghaf_hw_test(String flakeref, String device_config, String jenkins_url, String testset='_boot_') {