Add signing to utils script #58
Conversation
- Add sign file function - Add sign relpath function - Add signing to nix build - Add signing to provenance TODO: - Get rid of hardcoded certificate name Signed-off-by: Aleksandr Tserepov-Savolainen <[email protected]>
There is a parallel build example with configuration map here: Correct certificate / target could be configured maybe similarly in Jenkinsfile. |
utils.groovy
Outdated
| @@ -106,6 +108,12 @@ def provenance(String flakeref, String outdir, String flakeref_trimmed) { | |||
| """ | |||
| opts = "--recursive --out ${outdir}/provenance.json" | |||
| sh "provenance ${flakeref} ${opts}" | |||
| // Sign the provenance | |||
| path="${outdir}/provenance.json" | |||
| cert="INT-lenovo-x1-carbon-gen11-debug-x86-64-linux" | |||
There was a problem hiding this comment.
As you wrote, we should not hardcode this.
There was a problem hiding this comment.
Absolutely. This will be replaced with target handling in later versions. For now we have to hardcode. Though, if you prefer it this way, I'm fine implementing target selector within the scope of this PR.
There was a problem hiding this comment.
I would go with more complete implementation already now, unless there's a good reason not to. I'm not sure how you are planning to do this, but if takes days or more then maybe go with this temporary version first.
There was a problem hiding this comment.
This is pending @alextserepov, I guess the main options now are:
- For this first version, we just sign everything with "INT-lenovo-x1-carbon-gen11-debug-x86-64-linux" (which is what it now does).
- For now, we introduce a new common certificate e.g. "INT-common" (just an example), and change this PR so that everything would be signed with that new 'common' certificate.
- We introduce certificates for all targets we are planning to build for the next Ghaf release, and use a separate certificate for each target. At this point, it's still unclear (to me at least) what are the exact targets we are going to build for the Ghaf release, and thus, what would be all the certificates we would have to make available in the Azure certificate storage.
There was a problem hiding this comment.
Discussed with @alextserepov that we would go with above option (2) initially, see commit 3d85d00.
The new common certificate still needs to be properly setup in Azure certificate storage, so we can't merge this yet.
Thanks! I will look into it. |
We surely can. I'm more of a "small change PR" kind of guy, but well, we surely can make this world 10 times better within this PR. ;) |
henrirosten
force-pushed
the
add-signing-to-utils
branch
from
4a1a27a to
86f51b0
Compare
This commit makes the following changes: - `nix_build` only generates signatures for images. It can still be called for targets that don't produce images, in which case the call to `sign_file` is skipped. - Remove `sign_relpath`, instead, directly call the `sign_file` from the `nix_build` for image outputs. - Remove unused return value from the `sign_file` function. - Remove `verify_signature` function which is now unused. - Use the ci-yubi/sign tool version already available in jenkins PATH. Signed-off-by: Henri Rosten <[email protected]>
henrirosten
force-pushed
the
add-signing-to-utils
branch
from
86f51b0 to
f5c4d99
Compare
Signed-off-by: Henri Rosten <[email protected]>
Output an error if signing fails, but don't fail the build. This is needed to make it possible to run the builds from private test environments without requiring the signing step to pass. Signed-off-by: Henri Rosten <[email protected]>
TODO: